Abstract
This paper introduces new advances in gaining unauthorised access to a computer by accessing its physical memory via various means. We will show a unified approach for using IEEE1394, also known as firewire, file descriptors and other methods to read from and write into a victim’s memory. Thereafter we will show the power of this ability in several example attacks: stealing private SSH keys, and injecting arbitrary code in order to obtain interactive access with administrator privileges on the victim’s computer.
These advances are based on data structures that are required by the CPU to provide virtual address spaces for each process running on the system. These data structures are searched and parsed in order to reassemble pages scattered in physical memory, thus being able to read and write in each processes virtual address space.
The attacks introduced in this paper are adaptable to all kinds of operating system and hardware combinations. As a sample target, we have chosen Linux on an IA-32 system with the kernel-options CONFIG_NOHIGH MEM or CONFIG_HIGHMEM4G, CONFIG_VMSPLIT_3G and CONFIG_PAGE_OFFSET= 0xC0000000.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anderson, D.: FireWire System Architecture - IEEE 1394. Addison Wesley, Reading (1999)
Anonymous. Runtime Process Infection. Phrack, vol. 0x0b(0x3b) Phile 0x08 (2002) http://www.phrack.org/archives/59/p59-0x08.txt
Becher, M., Dornseif, M., Klein, C.N.: FireWire - all your memory are belong to us (2005), http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf
Boileau, A.: Ruxcon 2006: Hit by a Bus: Physical Access Attacks with Firewire (2006), http://security-assessment.com/
Burdach, M.: Finding Digital Evidence In Physical Memory pdf (2006), http://forensic.seccure.net/pdf/mburdach_physical_memory_forensics_bh06.pdf
Cilibrasi, R., Vitányi, P.M.B.: Clustering by Compression. IEEE transactions on information theory, 51 (2005) http://www.cwi.nl/paulv/papers/cluster.pdf
Intel Corp. Intel 64 and IA-32 Architectures Software Developer’s Manual, vol. 1 Basic Architecture (2006), http://developer.intel.com/
Intel Corp. Intel 64 and IA-32 Architectures Software Developer’s Manual, vol. 2A: Instruction Set Reference, A-M (2006), http://developer.intel.com/
Intel Corp. Intel 64 and IA-32 Architectures Software Developer’s Manual, vol. 2B: Instruction Set Reference, N-Z (2006), http://developer.intel.com/
Intel Corp. Intel 64 and IA-32 Architectures Software Developer’s Manual, vol. 3A: System Programming Guide, Part 1 (2006), http://developer.intel.com/
Intel Corp. Intel 64 and IA-32 Architectures Software Developer’s Manual, vol. 3B: System Programming Guide, Part 2 (2006), http://developer.intel.com/
Li, M., Chen, X., Li, X., Ma, B.: Vitányi, P.M.P.: The Similarity Metric. IEEE transactions on information theory (August 2004), http://arxiv.org/pdf/cs.CR/0111054
Li, M., Vitányi, P.M.B.: An Introduction to Kolmogorov Complexity and Its Applications, 2nd edn. Springer, Heidelberg (1997)
Alfred, J., Menezes, P.C.: Handbook of Applied Cryptography. CRC Press, Boca Raton, USA (2001), http://www.cacr.math.uwaterloo.ca/hac/
Promoters of the 1394 Open HCI. 1394 Open Host Controller Interface Specification (January 2000)
Schneier, B.: Applied Cryptography, 2nd edn. John Wiley & Sons, Inc., Chichester (1996)
sd, devik,: Linux on-the-fly kernel patching without LKM. Phrack, Vol. 0x0b, Issue 0x3a, Phile 0x07 (December 2001), http://www.phrack.org/archives/58/p58-0x07.txt
Shamir, A., van Someren, N.: Playing Hide and Seek with Stored Keys. In: Franklin, M.K. (ed.) FC 1999. LNCS, vol. 1648, pp. 118–124. Springer, Heidelberg (1999)
Viega, J., Messier, M., Chandra, P.: Network Security with OpenSSL. O’Reilly (2002)
Wehner, S.: Analyzing Worms and Network Traffic using Compression (April 2005), http://arxiv.org/pdf/cs.CR/0504045
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Piegdon, D.R., Pimenidis, L. (2007). Targeting Physically Addressable Memory. In: M. Hämmerli, B., Sommer, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2007. Lecture Notes in Computer Science, vol 4579. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73614-1_12
Download citation
DOI: https://doi.org/10.1007/978-3-540-73614-1_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-73613-4
Online ISBN: 978-3-540-73614-1
eBook Packages: Computer ScienceComputer Science (R0)