LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

"Evil Maid" attack against disk encryption

"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 15:24 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)
In reply to: "Evil Maid" attack against disk encryption by drag
Parent article: "Evil Maid" attack against disk encryption

"If your using a laptop, for example, any device that you plug into it that implements DMA access can trivially retrieve your password. Like a firewire cardbus card or something like that."

Not anymore. New platforms (including notebooks) have IOMMU, which separates each device into its own memory protection domain.

"TAKE YOUR BOOTLOADER WITH YOU."

Won't work. 'Evil maid' can infect your BIOS, so your whole Linux will run after 'evil' code is executed. Which can install backdoors into SMM, for example.

In short, TPM is the only real solution. You _need_ to have a hardware you trust as the base of the 'trust chain'.

(Log in to post comments)

"Evil Maid" attack against disk encryption

Posted Oct 29, 2009 20:31 UTC (Thu) by drag (subscriber, #31333) [Link]

No.

Even if your using TPM the hardware can still be subverted if you allow
physical access to it. TPM does not solve any "evil maid" related issue
that putting the bootloader in removable media won't solve, except maybe
the BIOS thing.

TPM is useful for detection of problems with malicious software in your
bootloader and kernel. That way you can establish a chain of trust from
initial boot-up to running the OS. This allows you to hash every element
from the BIOS on upwards. This way you can reliably detect things like
rootkits by a simple reboot, which is impossible otherwise. Previously to
TPM you had to use a tool like tripwire or other host-based IDS while the
system was offline (like you were booted up in a live cd) and comparing
that result with last known good hash is the only reliable way to combat
rootkits. TPM can reduce the complexity, expense, and difficulty of that
considerably.

It is not really designed to secure your machine from physical access.

------------------------------------

Really the only solution using current technology is just not to leave your
stuff were other people have access to it when your not around.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds