Re: [qubes-users] Re: Can DMA attacks work against Ethernet... or just WiFi/wireless...?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On Tue, Sep 13, 2016 at 08:29:59AM -0700, ludwig jaffe wrote:
> Am Montag, 12. September 2016 01:29:14 UTC+2 schrieb neilh...@gmail.com:
> > Qubes uses VT-D to protect against DMA attacks on things such as WiFi chip.
> >
> > But are there any proven DMA attacks against wired networking, i.e.
> > Ethernet..?
> >
> > Hackers can exploit a buffer overflow on the network card's firmware, and
> > use that to take control of the network card, and issue a DMA attack to
> > take control of the entire host computer.
> >
> > I previously posted a thread about this on qubes-users ("Question on DMA
> > attacks")
> > ... and Marek mentioned WiFi when speaking of DMA attacks.
> >
> > Is Ethernet also vulnerable...? Or just WiFi..?
> >
> > I say this because I wanted to build a Tor router that sits between Qubes
> > and my main router... so that even if Qubes gets hacked, they can only see
> > what I'm doing, and not WHO I am. The theory being, that there are no
> > exploits for Tor itself, and only for the Firefox browser. Thus, the IP
> > address is always obscured behind the Tor router.
> >
> > So my router box is going to have Ethernet only, because if my Qubes is
> > hacked, then it could just use WiFi to scan for nearby routers, including
> > my own WiFi router, and thus identify me.
> >
> > So, wired networking is a must.
> >
> > And thus, I wanted to know if Ethernet is vulnerable to DMA attacks,
> > because if it is, then I would have to use Qubes for the Tor box in the
> > middle.. or at least, use some OS that supports VT-D, even if it's not
> > Qubes.
> >
> > Qubes has high system requirements, thus I'd prefer to have a cheap
> > computer as the Tor router in the middle.. But if there truly are exploits
> > against Ethernet, then I'll just have to use Qubes.
>
> VT-d can do memory insulation, and should assign a memory range (pci-address
> space of a pci device) exclusively to one VM, so the attacker of that hw can
> do DMA into that VM, if done properly.
> But there is that evil ME in the Northbridge. How does the ME-processor
> behave regarding VT-d? Can it be assigned exclusively to a honey-pot-vm that
> runs windows2000?
AFAIR ME can bypass VT-d :(
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
iQEcBAEBCAAGBQJX2ChPAAoJENuP0xzK19cs2uIH/0yJViqxqwkhtcnmAKZGCS6I
T+PTZyoupW+MVYCAyruNn476iz5wKlFEzmNpyNl2M7tKp13zThyZ80QYFBXcL3dX
gSfIRAG1o5/e6UJBkGEu6XHo2YdH1agr8Yv1UL5s46ptOMJqzG0z5yJjFxU6CfAU
FCKSwo+YlYMmXjEkGyoBtOfLGdNKiSUJKjZutwYzYw2dIAToJhRAliWEjoXoLdFG
9eSBVIq/OUmeRS5LOSw0KVCoFHnHI8li+DOW/OD43tFdeJR5p+tbYMbI0AVA55pw
x6tjyw96DnXTefBcqqSb9hfjc3jWVG4f7wl/IgQ597cdI4kE0W8Zka0Nw9O3xZ8=
=gv/y
-END PGP SIGNATURE-
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20160913162447.GE31510%40mail-itl.
For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Can DMA attacks work against Ethernet... or just WiFi/wireless...?
On Tuesday, September 13, 2016 at 8:57:14 AM UTC-7, johny...@sigaint.org wrote: > > Am Montag, 12. September 2016 01:29:14 UTC+2 schrieb neilh...@gmail.com: > >> Qubes uses VT-D to protect against DMA attacks on things such as WiFi > >> chip. by having a separate tor gateway, you now have two machines to worry about. depending on your threat model, your probably better off just using whonix in qubes. > >> > >> But are there any proven DMA attacks against wired networking, i.e. > >> Ethernet..? this is what VT-D is for. > But if any internal firmware of a network card, say, is compromised > through some buffer overflow or whatever, it can just go ahead and > initiate DMA operations at will? we have to assume yes. > But if you're not running any (potentially compromised) BIOS ROM or > compromised driver, is it possible for a rogue Net card to just start > writing to memory at will without any OS support/setup? have you seen the exploits of fancy graphics cards? especially nvidia! same bus. > (I guess a rogue netcard firmware is free to modify any network payload, > which is powerful as well; but short of that, can it actually compromise a > system or a VM?) should just be the vm, unless the exploit can break out of it. > JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3d02a0b1-c612-4c9f-862c-97b28cc6bbb6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Can DMA attacks work against Ethernet... or just WiFi/wireless...?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Sep 13, 2016 at 03:57:00PM -, johnyju...@sigaint.org wrote: > > Am Montag, 12. September 2016 01:29:14 UTC+2 schrieb neilh...@gmail.com: > >> Qubes uses VT-D to protect against DMA attacks on things such as WiFi > >> chip. > >> > >> But are there any proven DMA attacks against wired networking, i.e. > >> Ethernet..? > >> > >> Hackers can exploit a buffer overflow on the network card's firmware, > >> and use that to take control of the network card, and issue a DMA attack > >> to take control of the entire host computer. > > I've often wondered this. > > I figured that most modern operating systems didn't use any device BIOS, > but used their own (e.g. Linux) drivers instead. > > But if any internal firmware of a network card, say, is compromised > through some buffer overflow or whatever, it can just go ahead and > initiate DMA operations at will? Yes, it can. > In my (ancient) experience with DMA, a driver would typically set things > up to be transferred via DMA when the data is available, or whatever, > indicating where the transfer should occur, and so forth. Yes, the driver typically send some request to the device to do this and that on memory address xyz. But device can act on its own without such request. In normal cases device would not know where is the buffer prepared by the driver, but in malicious case it is no longer about such prepared buffer. VT-d act as a kind of firewall allowing device to access only certain memory areas. > (I guess that memory address is likely given to the device to use when the > time comes, and not necessarily needed by the OS for the transfer?) > > But if you're not running any (potentially compromised) BIOS ROM or > compromised driver, is it possible for a rogue Net card to just start > writing to memory at will without any OS support/setup? Yes. > (I guess a rogue netcard firmware is free to modify any network payload, > which is powerful as well; but short of that, can it actually compromise a > system or a VM?) > > JJ > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJX2CSIAAoJENuP0xzK19csNQUH/0mq+bChVYdVEW7c18oackFH bDjsY43jWO/o7IoPd7ejl8YijpDZBYBoo0nGlP1ATV7xERiA5IS1WamnSYj7tWFH 9+8MIYxtN1CgAdYWKH70+GL6tjZtUrPNyHw8sB+hAofJOrSmAwuxgE3CkPvC9Yvk 4d5wvHFThrmk4qQzoAyB8tQG06t3oY49sOsxU0unaXTD1PAyPUYWEkEFZczv/dM3 CJozmwSemG9WI5X8HG+yoaJCkZ64yNtyzV5s5YAs00SLHw+A0kCDnF/0+wBO11BC uWC7dXnDQcUISavIKoOTdoZv5bGu1jNNZtlqRVTK9pKhz0PqsD7IlM5m+s0XOEE= =PTDa -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160913160840.GD31510%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Can DMA attacks work against Ethernet... or just WiFi/wireless...?
Am Montag, 12. September 2016 01:29:14 UTC+2 schrieb neilh...@gmail.com:
> Qubes uses VT-D to protect against DMA attacks on things such as WiFi chip.
>
> But are there any proven DMA attacks against wired networking, i.e.
> Ethernet..?
>
> Hackers can exploit a buffer overflow on the network card's firmware, and use
> that to take control of the network card, and issue a DMA attack to take
> control of the entire host computer.
>
> I previously posted a thread about this on qubes-users ("Question on DMA
> attacks")
> ... and Marek mentioned WiFi when speaking of DMA attacks.
>
> Is Ethernet also vulnerable...? Or just WiFi..?
>
> I say this because I wanted to build a Tor router that sits between Qubes and
> my main router... so that even if Qubes gets hacked, they can only see what
> I'm doing, and not WHO I am. The theory being, that there are no exploits for
> Tor itself, and only for the Firefox browser. Thus, the IP address is always
> obscured behind the Tor router.
>
> So my router box is going to have Ethernet only, because if my Qubes is
> hacked, then it could just use WiFi to scan for nearby routers, including my
> own WiFi router, and thus identify me.
>
> So, wired networking is a must.
>
> And thus, I wanted to know if Ethernet is vulnerable to DMA attacks, because
> if it is, then I would have to use Qubes for the Tor box in the middle.. or
> at least, use some OS that supports VT-D, even if it's not Qubes.
>
> Qubes has high system requirements, thus I'd prefer to have a cheap computer
> as the Tor router in the middle.. But if there truly are exploits against
> Ethernet, then I'll just have to use Qubes.
VT-d can do memory insulation, and should assign a memory range (pci-address
space of a pci device) exclusively to one VM, so the attacker of that hw can do
DMA into that VM, if done properly.
But there is that evil ME in the Northbridge. How does the ME-processor behave
regarding VT-d? Can it be assigned exclusively to a honey-pot-vm that runs
windows2000?
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/6197ee2d-d60c-4d33-b26f-618ab23e5eac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Can DMA attacks work against Ethernet... or just WiFi/wireless...?
4. It depends if you just disable Wi-Fi, or if you don't have the hardware. Removing wireless radio, microphone and camera might be hard on laptops, so it depends on hardware you have. I wanted to note that staying anonymous with whole physical (or even a virtual) machine compromised might be hard, but is depends on your usage, your hardware and on your threat model. BTW, various deanonymization attacks are described on Whonix wiki. Some of them are rather trivial and target on nonskilled users, some are more advanced. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c65d316c-abe1-471a-b5d5-ba505310bcdb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Can DMA attacks work against Ethernet... or just WiFi/wireless...?
Any software can have flaws. The only distinction between ethernet and wifi in that regards is that WiFi can be exploited by anyone within RF range regardless whether they're authenticated to the same network or not; ethernet requires a physical connection. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f7f5322d-a304-439a-bb0f-3b122a14d25a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Can DMA attacks work against Ethernet... or just WiFi/wireless...?
jkitt Yeah, I know that Ethernet is capable of DMA. But DMA is different from a DMA Attack A DMA attack is when a hacker exploits a software error in the Ethernet firmware, and uses that to take over the device and issue malicious DMA attacks. So I guess I'm asking whether any such software errors have been found in Ethernet firmware before. Things like you could get with ordinary software, like buffer overflow, heap overflow etc. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/753a71d6-451f-4b58-95f4-880f828d2b1e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Can DMA attacks work against Ethernet... or just WiFi/wireless...?
On Monday, 12 September 2016 00:29:14 UTC+1, neilh...@gmail.com wrote:
> Qubes uses VT-D to protect against DMA attacks on things such as WiFi chip.
>
> But are there any proven DMA attacks against wired networking, i.e.
> Ethernet..?
>
> Hackers can exploit a buffer overflow on the network card's firmware, and use
> that to take control of the network card, and issue a DMA attack to take
> control of the entire host computer.
>
> I previously posted a thread about this on qubes-users ("Question on DMA
> attacks")
> ... and Marek mentioned WiFi when speaking of DMA attacks.
>
> Is Ethernet also vulnerable...? Or just WiFi..?
>
> I say this because I wanted to build a Tor router that sits between Qubes and
> my main router... so that even if Qubes gets hacked, they can only see what
> I'm doing, and not WHO I am. The theory being, that there are no exploits for
> Tor itself, and only for the Firefox browser. Thus, the IP address is always
> obscured behind the Tor router.
>
> So my router box is going to have Ethernet only, because if my Qubes is
> hacked, then it could just use WiFi to scan for nearby routers, including my
> own WiFi router, and thus identify me.
>
> So, wired networking is a must.
>
> And thus, I wanted to know if Ethernet is vulnerable to DMA attacks, because
> if it is, then I would have to use Qubes for the Tor box in the middle.. or
> at least, use some OS that supports VT-D, even if it's not Qubes.
>
> Qubes has high system requirements, thus I'd prefer to have a cheap computer
> as the Tor router in the middle.. But if there truly are exploits against
> Ethernet, then I'll just have to use Qubes.
DMA is a privilege given to PCI(e) devices (DMA controllers) - eNIC's run over
the PCI(e) bus - a lot of eNICs have DMA controllers. RDMA is a specification
that relies solely on DMA.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/6f4d87a1-a09c-4622-ac9d-8c913bc39ca2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
