User: Password:
|
|
Subscribe / Log in / New account

It does

It does

Posted Jan 10, 2013 14:35 UTC (Thu) by renox (subscriber, #23785)
In reply to: Use an IOMMU by epa
Parent article: Attacking full-disk encryption with Inception

AFAIK without IOMMU, any DMA-capable device can do the same as this 'firewire' hack, provided you can control the device..


(Log in to post comments)

It does

Posted Jan 10, 2013 16:38 UTC (Thu) by epa (subscriber, #39769) [Link]

I thought that the 'DMA-capable device' was the PCI or PCI Express card in your motherboard. (Obviously if the attacker can plug in any card to a PCI slot you've already lost.) But you are saying the DMA-capable device is actually the hard disk connected to the PCI card, which gets to choose all by itself which address range to write to?

It does

Posted Jan 10, 2013 21:29 UTC (Thu) by renox (subscriber, #23785) [Link]

I'm not sure, what would prevent it?

It does

Posted Jan 11, 2013 10:10 UTC (Fri) by epa (subscriber, #39769) [Link]

What I imagined was this: the SCSI controller (being a DMA-capable device attached to the PCIe bus) sets up a DMA transfer using an address it has chosen. The SCSI controller then transfers data to and from the disk over the SCSI bus - this using the SCSI protocol and not related to host addresses in any way. On receiving data from the disk, the controller DMAs it into memory.

But you are saying that the *disk* gets to choose which part of the host's memory to write to, and organizes the DMA itself?

It does

Posted Jan 11, 2013 12:24 UTC (Fri) by cladisch (✭ supporter ✭, #50193) [Link]

> But you are saying that the *disk* gets to choose which part of the host's memory to write to

Yes; the disk gets told by the disk driver the address which it should write to.

> and organizes the DMA itself?

The disk device just sends a packet with a specific address to the host.

This address usually works similar to the port number in TCP/IP, i.e., the controller writes the packet into a buffer configured by the driver, and the host's FireWire software stack uses the address to determine which driver/application gets to handle the packet.

However, as an optimization, FireWire controllers can be configured by the driver to handle certain packets from certain devices differently, by writing them to the physical memory address specified in the packet itself.

It does

Posted Jan 11, 2013 16:19 UTC (Fri) by epa (subscriber, #39769) [Link]

The disk device just sends a packet with a specific address to the host.
Surely not - the disk sends a packet to the SCSI controller, and then the SCSI controller writes into the host's memory. (Unless this is just a question of terminology)
However, as an optimization, FireWire controllers can be configured by the driver to handle certain packets from certain devices differently, by writing them to the physical memory address specified in the packet itself.
I see - that is the root of this vulnerability. Clearly if devices can be plugged in externally, that optimization needs to be disabled.

It does

Posted Jan 11, 2013 16:36 UTC (Fri) by etienne (guest, #25256) [Link]

> But you are saying that the *disk* gets to choose which part of the host's memory to write to, and organizes the DMA itself?

Well, if you are queuing different reads from the disk, and the disk decides himself in which order it does them, it will have to synchronise to the DMA controller in maybe complex ways to write the right sector at the right place...
So the IDE/AHCI interface stores the address to read/write to with the sector requested from the disk, and will DMA to that address.
If you have a PCI card which pretends to be a IDE/AHCI card it will be able to DMA everywhere. PCMCIA cards probably can do that.
If you want to do secured DMA, you would need to manage (quickly) all these blocks *and* synchronise with IDE/AHCI (considering read/write retries), I do not think Linux does that.

No it doesn't

Posted Jan 12, 2013 1:13 UTC (Sat) by butlerm (guest, #13312) [Link]

There isn't a SCSI interface on the planet where a SCSI disk instructs the SCSI host adapter which host memory address to write to. Nor an IDE/ATA/SATA one for that matter. That would be insane.

No it doesn't

Posted Jan 14, 2013 10:14 UTC (Mon) by etienne (guest, #25256) [Link]

But a hacked SCSI adapter can ignore the address of the transfer given by Linux and instead do a DMA anywhere.
Same for a hacked IDE adapter, and mostly for PCMCIA/CardBus card accessible on a lot of PC without opening the box.

No it doesn't

Posted Jan 14, 2013 11:19 UTC (Mon) by dlang (subscriber, #313) [Link]

Yes, if you take over some device directly attached to the memory or PCI bus of a machine you can access anywhere in RAM

with firewire this doesn't take hacking the card, it's a normal mode of operation.

No it doesn't

Posted Jan 16, 2013 13:25 UTC (Wed) by epa (subscriber, #39769) [Link]

There isn't a SCSI interface on the planet where a SCSI disk instructs the SCSI host adapter which host memory address to write to. Nor an IDE/ATA/SATA one for that matter. That would be insane.
Right. But apparently Firewire does have that design flaw?

No it doesn't

Posted Jan 17, 2013 16:39 UTC (Thu) by cladisch (✭ supporter ✭, #50193) [Link]

> > There isn't a SCSI interface on the planet where a SCSI disk instructs the SCSI host adapter which host memory address to write to.
>
> But apparently Firewire does have that design flaw?

The three transport protocols where SCSI can use some form of remote DMA are FireWire, InfiniBand, and iWARP.

It does

Posted Jan 11, 2013 10:23 UTC (Fri) by renox (subscriber, #23785) [Link]

No, I just forgot about the SCSI distinction between the disk and the controller.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds