[qubes-users] Re: Question on DMA attacks
I can't find any poc for sound card. I imagine it would be possible though, maybe it depends on the card like probably a plugged in one. But i'm talking out my ass and have no idea what I'm talking about. Maybe in future qubes will be isolating the sound controller as well lol. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8a30d7d4-94f3-47d2-b52e-87e4f033bb9e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Question on DMA attacks
On Friday, July 15, 2016 at 12:00:57 AM UTC-4, neilh...@gmail.com wrote: > Oh OK. I see you have now updated with a new answer. > > "The main benefit would be to try and prevent dma attacks from the network > card and the netvm, which receives all the packets from the internet" maybe just a MITM, maybe your infected router infecting your netcard. I mean I really don't know there is many possibilities on where the malicious packet is coming from. I don't really think attack would be coming from an infected appvm, which should be noted is also not easy to make persistent. But it is possible for an infected appvm to then infect netvm and then change your netcard firmware I guess. again not as easy as just that magic packet coming from god knows where to your very vulnerable network card. You know what, get the iommu machine, its also not 100% (nothing is) but it would make it alot harder. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6449d6ef-eb1d-4423-b71c-40bf12a81545%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Question on DMA attacks
So essentially, this is isolating the network card/Wifi from dom0.. Just like you create a USB qube, to isolate USB from dom0 But still.. no one has ever shown a proof of concept for this... You see plenty of videos of people exploiting browsers with Metasploit... but no videos of anyone doing DMA attacks Still, I take Joanna's word for it that it's a real thing. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b3488f64-b5da-4581-a77f-972225ad7bd2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Question on DMA attacks
On Friday, July 15, 2016 at 12:00:11 AM UTC-4, raah...@gmail.com wrote: > On Thursday, July 14, 2016 at 11:57:48 PM UTC-4, neilh...@gmail.com wrote: > > But it's still not clear how these malicious packets can be sent to the > > network card can these be sent after compromising an App VM (via > > something like a browser exploit)...?? > > > > Or can they be sent just purely over the internet itself to any device > > connected to the web...? Directly send packets just over the web? > > > > Or does it require attacking the Net VM, and not just the App VM... however > > that would be done...? > > > > I'm just trying to figure out FROM WHERE the network card could be attacked. > > all network packets go to your network card. I'm not sure what you mean? It > can be attacked from anywhere in the world wide web. I guess you are asking me specifically how? I dunno man i'm a noob. I guess there is many ways, for example reverse shell from buggy dhclient or icmp packet. or who the heck knows. Probably too many possibilities to list. Joannas blog mentioned poc from buffer overflow. Anothing thing to consider is you have to trust the intel firmware sometimes. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8b0d3cd9-2dd1-48c3-9279-852f3ccd083d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Question on DMA attacks
Oh OK. I see you have now updated with a new answer. "The main benefit would be to try and prevent dma attacks from the network card and the netvm, which receives all the packets from the internet" -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c59266e7-0738-4ed0-af25-90996a5d1322%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Question on DMA attacks
On Thursday, July 14, 2016 at 11:57:48 PM UTC-4, neilh...@gmail.com wrote: > But it's still not clear how these malicious packets can be sent to the > network card can these be sent after compromising an App VM (via > something like a browser exploit)...?? > > Or can they be sent just purely over the internet itself to any device > connected to the web...? Directly send packets just over the web? > > Or does it require attacking the Net VM, and not just the App VM... however > that would be done...? > > I'm just trying to figure out FROM WHERE the network card could be attacked. all network packets go to your network card. I'm not sure what you mean? It can be attacked from anywhere in the world wide web. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5f786f78-c036-4dfd-900d-a6bca73db465%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Question on DMA attacks
But it's still not clear how these malicious packets can be sent to the network card can these be sent after compromising an App VM (via something like a browser exploit)...?? Or can they be sent just purely over the internet itself to any device connected to the web...? Directly send packets just over the web? Or does it require attacking the Net VM, and not just the App VM... however that would be done...? I'm just trying to figure out FROM WHERE the network card could be attacked. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/24ed289e-dec9-4d6e-86b8-14763a5bcf37%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Question on DMA attacks
On Thursday, July 14, 2016 at 10:22:28 PM UTC-4, neilh...@gmail.com wrote: > From the user FAQ: > > https://www.qubes-os.org/doc/user-faq/#can-i-install-qubes-on-a-system-without-vt-d > > "an attacker could always use a simple DMA attack to go from the NetVM to > Dom0" > > So what does this mean though..? > > Can they launch this DMA attack from a compromised App VM..? > > Could they simply do a browser exploit in an App VM, and then do a DMA attack > from there to go to dom0..? > > Or is it a lot harder than that..? > > I'm just trying to work out whether it's really worth buying a new laptop > just to get VT-D I currently have VT-X, but not VT-D. I'm no expert but I'll try to answer your questions. DMA generally means malware put in the network card or graphics card to get direct memory access. In other words malware going straight from the piece hardware bypassing the operating system software to use, or retrieve, or manipulate the running memory directly. Its not a browser exploit unless somehow the browser exploits and infects the graphics card which is highly unlikely in qubes since most of the gpu functions is limited to dom0 and not in the appvm where you would be running your browser. The main benefit would be to try and prevent dma attacks from the network card and the netvm, which receives all the packets from the internet, and which qubes considers always unsafe. How hard is it? Probably not as hard as infecting the gpu card, and well i'm only a noob but I doubt its very easy. Its probably something that would happen from a more personal or targeted attack, not something random. But then again this is 2016 so who knows lol. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c0ad504e-04fc-423f-8a79-bd6082e2a1ec%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Question on DMA attacks
On Thursday, July 14, 2016 at 10:22:28 PM UTC-4, neilh...@gmail.com wrote: > From the user FAQ: > > https://www.qubes-os.org/doc/user-faq/#can-i-install-qubes-on-a-system-without-vt-d > > "an attacker could always use a simple DMA attack to go from the NetVM to > Dom0" > > So what does this mean though..? > > Can they launch this DMA attack from a compromised App VM..? > > Could they simply do a browser exploit in an App VM, and then do a DMA attack > from there to go to dom0..? > > Or is it a lot harder than that..? > > I'm just trying to work out whether it's really worth buying a new laptop > just to get VT-D I currently have VT-X, but not VT-D. I guess its up to your budget man. Maybe this will help you decide. http://theinvisiblethings.blogspot.com/2010/04/remotely-attacking-network-cards-or-why.html -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f741e714-84a1-4847-a6a3-a0bd1a8527a7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
