When using whole-disk encryption, it's sometimes tempting to be less
concerned about attacks requiring physical presence. After all, putting
a laptop to sleep is quite convenient, even though attacks like "Evil Maid" or "Cold Boot" are
possible. A more recent attack just adds another worry to that list.
Inception is a
tool released in 2011 that uses Firewire direct memory access
(DMA) to access the memory of a sleeping (or simply powered-on, but locked)
system. While it is an
an older tool, Inception recently got a notoriety boost from Cory
Doctorow at Boing Boing, which is where I came across it. It is a
rather interesting attack, and one that isn't really exploiting a bug.
In order to facilitate high-speed transfers, Firewire (aka IEEE 1394)
requires the availability of a DMA mode. DMA allows the Firewire
controller to directly access system memory, bypassing the CPU. While
removing the potential bottleneck of the CPU does make transfers faster, it
also opens up the contents of memory for any Firewire device to inspect or
This is the same memory that contains various things of interest, including
the code to check passwords.
It is the password-checking code that Inception targets. When the
incept program is run, it will patch the
Linux, Windows, or Mac OS X code running on the system
such that any password can be used to log in. After that, one can
log in as root (or Administrator) without need for the password—the
system is fully compromised. Since the patching is in memory only, though,
the change disappears at the next reboot, which may make it more difficult
Inception doesn't require a Firewire interface on the targeted system, just
some way to add one (e.g. PCMCIA, ExpressCard). Typically, the system will
detect the Firewire device being added and helpfully install the drivers
needed. The attacker's machine, which is attached to the victim over the
Firewire interface, then sends commands to enable DMA mode. From there,
the program looks for signatures of password authentication modules and
patches any it finds.
There are, of course, other things one can do with access to the memory,
including dumping its contents for use later on. The system memory may well
contain information of interest, for example
credentials of various sorts. Patching other parts of the operating system
are possible as well, and the incept program has support for
using custom signatures and patches. Inception is useful for more than
just attacks, as it can be used to help analyze any running
system—one that has been compromised for example.
The attack code runs on Linux or OS X systems. It requires Python 3
Unsurprisingly, there are some caveats. Targets with more
than 4G of RAM may not be attacked reliably because DMA is limited to the
low 4G and the code of interest might be loaded higher up. In addition,
certain OS X targets may repel the attack by disabling DMA under
certain circumstances (like sleeping).
One obvious mitigation for Linux is to disable the Firewire drivers for
systems that aren't using them. One could, instead, disable Firewire DMA
when the drivers are loaded,
Firewire is actually being used, that will clearly impact performance.
Inception serves as a nice reminder that a powered-on system is
vulnerable to many "physically present" kinds of attacks—even if the disk is encrypted
to post comments)