Targeting Physically Addressable Memory

Piegdon, David R.; Pimenidis, Lexi

doi:10.1007/978-3-540-73614-1_12

David R. Piegdon¹ &
Lexi Pimenidis¹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4579))

Included in the following conference series:

International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

1092 Accesses
11 Citations

Abstract

This paper introduces new advances in gaining unauthorised access to a computer by accessing its physical memory via various means. We will show a unified approach for using IEEE1394, also known as firewire, file descriptors and other methods to read from and write into a victim’s memory. Thereafter we will show the power of this ability in several example attacks: stealing private SSH keys, and injecting arbitrary code in order to obtain interactive access with administrator privileges on the victim’s computer.

These advances are based on data structures that are required by the CPU to provide virtual address spaces for each process running on the system. These data structures are searched and parsed in order to reassemble pages scattered in physical memory, thus being able to read and write in each processes virtual address space.

The attacks introduced in this paper are adaptable to all kinds of operating system and hardware combinations. As a sample target, we have chosen Linux on an IA-32 system with the kernel-options CONFIG_NOHIGH MEM or CONFIG_HIGHMEM4G, CONFIG_VMSPLIT_3G and CONFIG_PAGE_OFFSET= 0xC0000000.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Anderson, D.: FireWire System Architecture - IEEE 1394. Addison Wesley, Reading (1999)
Google Scholar
Anonymous. Runtime Process Infection. Phrack, vol. 0x0b(0x3b) Phile 0x08 (2002) http://www.phrack.org/archives/59/p59-0x08.txt
Becher, M., Dornseif, M., Klein, C.N.: FireWire - all your memory are belong to us (2005), http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf
Boileau, A.: Ruxcon 2006: Hit by a Bus: Physical Access Attacks with Firewire (2006), http://security-assessment.com/
Burdach, M.: Finding Digital Evidence In Physical Memory pdf (2006), http://forensic.seccure.net/pdf/mburdach_physical_memory_forensics_bh06.pdf
Cilibrasi, R., Vitányi, P.M.B.: Clustering by Compression. IEEE transactions on information theory, 51 (2005) http://www.cwi.nl/paulv/papers/cluster.pdf
Intel Corp. Intel 64 and IA-32 Architectures Software Developer’s Manual, vol. 1 Basic Architecture (2006), http://developer.intel.com/
Intel Corp. Intel 64 and IA-32 Architectures Software Developer’s Manual, vol. 2A: Instruction Set Reference, A-M (2006), http://developer.intel.com/
Intel Corp. Intel 64 and IA-32 Architectures Software Developer’s Manual, vol. 2B: Instruction Set Reference, N-Z (2006), http://developer.intel.com/
Intel Corp. Intel 64 and IA-32 Architectures Software Developer’s Manual, vol. 3A: System Programming Guide, Part 1 (2006), http://developer.intel.com/
Intel Corp. Intel 64 and IA-32 Architectures Software Developer’s Manual, vol. 3B: System Programming Guide, Part 2 (2006), http://developer.intel.com/
Li, M., Chen, X., Li, X., Ma, B.: Vitányi, P.M.P.: The Similarity Metric. IEEE transactions on information theory (August 2004), http://arxiv.org/pdf/cs.CR/0111054
Li, M., Vitányi, P.M.B.: An Introduction to Kolmogorov Complexity and Its Applications, 2nd edn. Springer, Heidelberg (1997)
MATH Google Scholar
Alfred, J., Menezes, P.C.: Handbook of Applied Cryptography. CRC Press, Boca Raton, USA (2001), http://www.cacr.math.uwaterloo.ca/hac/
Google Scholar
Promoters of the 1394 Open HCI. 1394 Open Host Controller Interface Specification (January 2000)
Google Scholar
Schneier, B.: Applied Cryptography, 2nd edn. John Wiley & Sons, Inc., Chichester (1996)
Google Scholar
sd, devik,: Linux on-the-fly kernel patching without LKM. Phrack, Vol. 0x0b, Issue 0x3a, Phile 0x07 (December 2001), http://www.phrack.org/archives/58/p58-0x07.txt
Shamir, A., van Someren, N.: Playing Hide and Seek with Stored Keys. In: Franklin, M.K. (ed.) FC 1999. LNCS, vol. 1648, pp. 118–124. Springer, Heidelberg (1999)
Chapter Google Scholar
Viega, J., Messier, M., Chandra, P.: Network Security with OpenSSL. O’Reilly (2002)
Google Scholar
Wehner, S.: Analyzing Worms and Network Traffic using Compression (April 2005), http://arxiv.org/pdf/cs.CR/0504045

Download references

Author information

Authors and Affiliations

Aachen University of Technology, Computer Science Department Informatik IV, Ahornstr. 55, D-52074 Aachen, Germany
David R. Piegdon & Lexi Pimenidis

Authors

David R. Piegdon
View author publications
You can also search for this author in PubMed Google Scholar
Lexi Pimenidis
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Bernhard M. Hämmerli Robin Sommer

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Piegdon, D.R., Pimenidis, L. (2007). Targeting Physically Addressable Memory. In: M. Hämmerli, B., Sommer, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2007. Lecture Notes in Computer Science, vol 4579. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73614-1_12

Download citation

DOI: https://doi.org/10.1007/978-3-540-73614-1_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-73613-4
Online ISBN: 978-3-540-73614-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics