1 / 68

DMA: Skeleton key of computing && selected soap box rants David Maynor X-Force Advanced R&D

DMA: Skeleton key of computing && selected soap box rants David Maynor X-Force Advanced R&D. DMA (Direct Memory Access). But first, I digress. <SOAPBOX>. I started auditing for software vulns late in the game. By the time I started simple stack overflows were all but gone.

duard
Download Presentation

DMA: Skeleton key of computing && selected soap box rants David Maynor X-Force Advanced R&D

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DMA: Skeleton key of computing && selected soap box rants David Maynor X-Force Advanced R&D

  2. DMA (Direct Memory Access)

  3. But first, I digress.

  4. <SOAPBOX>

  5. I started auditing for software vulns late in the game. By the time I started simple stack overflows were all but gone. Heap exploits are all the rage… Strcpy, sprintf, and friends are all but extinct…

  6. There is no joy in Mudville tonight… Although they still pop up from time to time… *COUGH*COUGH*MSMQ*COUGH*COUGH*

  7. for mighty Casey has struck out. THE MSMQ BUG OF MS05-017 FAME! Pretty ain’t it?

  8. But if you know the right people… You will hear stories… Nothing more than whispers… Of a magical place… Where these types of overflows are plentiful…

  9. Device Drivers !!! (APPLAUSE)

  10. A long, long time ago... • %s format specified, eax is user controlled buffer

  11. I can still remember • Buffer size is 64, format specified is %s%s, off_22e48 is from user controllable data.

  12. How that music used to make me smile. • Format is %d//%s, EAX is user controllable data.

  13. And I knew if I had my chance • Format is <string>//%s, eax is user controllable

  14. That I could make those people dance • [ebp+arg_18] is user controllable data

  15. And, maybe, they’d be happy for a while. • Format is %d//%s:%s, [ebp-1B0h] and [ebp-1ACh] are both user controllable buffers

  16. So bye-bye, miss american pie. • Format is %s, eax is user controllable.

  17. Drove my chevy to the levee, But the levee was dry. • edi is 32 bytes, [ebp+user_buf] is user controllable.

  18. And them good old boys were drinkin’ whiskey and rye • edi is user controllable buffer

  19. Singin’, this’ll be the day that I die. • esi is a user controllable buffer

  20. This’ll be the day that I die. • eax is 1024 bytes long, format is %d//%s, [ebp+7Ch] is user controllable

  21. SOME OF THESE EXAMPLES WERE OBFUSCATED IN IDA TO MAKE FINDING THEM A BIT DIFFUCULT. ISS generally won’t release details on vulns. Especially since the vendor hasn’t been notified yet. They are suppose to show the current state of device driver security.

  22. HI WINDOW! Now before you blame Microsoft… It is not completely their fault… Opensource projects like Linux/FreeBSD have some of the same problems. A lot of the examples show were from 3rd party drivers… But Microsoft is not with out fault…

  23. Are you free for dinner this week? • What don’t you see?

  24. Just joking… • eax is a user controllable buffer.

  25. What I mean by user controllable Data that comes from something that a user could influence or directly control if they masquerade as a device or modify how a device works. An example is self identifying devices that send a vendor string when plugged in.

  26. Why does this happen? • In order to exploit most device drivers you must have physical access to the system • There are exceptions • Wireless drivers • Bluetooth drivers • Network Drivers • Where else to look? • File system • Peripheral drivers • Anything in \WINDOWS\System32\Drivers

  27. Is exploiting them possible? • It seems like more device driver writers don’t care much about security, the same for video game developers. • They trust input they receive far to much. • If exploited the attacker is now in ring0 and doing useful stuff can be tricky, but not hard. • If you mess up its normally blue screen city. • With devices becoming more complex, the drivers are doing more.

  28. “I think this year or next year exploiting device drivers will be all the rage!” –Maximillian Dornseif (while eating a lot of meat and drinking beer) • I am confident all the examples show can lead to exploitable conditions. • These conditions may be local/remote/physical access. • The possibility for local privilege escalation is astounding.

  29. Fixing? • Device driver writers will need to become as proficient at defensive programming techniques as any other developer. • Trusted computing models that include everything being “sandboxed” will help. • More stack/heap protection to be extended to device drivers. • It finally boils down to human error.

  30. Question to ask Microsoft: Will the device driver signing program include checks for security related problems like buffer overflows?

  31. BTW • What is the deal with hardware and software designers wanting to make more protocols IP friendly like RDMA and iSCSI? • Does this seem like a bad idea to anyone else?

  32. </SOAPBOX> Back to DMA

  33. Physical hardware access… • Mudge, SUN, Forth, physical access • http://www.phrack.org/show.php?p=53&a=9 • NSA fears Furbies!! • http://www.cnn.com/US/9901/13/nsa.furby.ban.01/

  34. What does a standard business computer look like? 1U rackmount server • 4 usb ports • 2 RJ-45 ethernet ports. • SATA harddrive. • ATI RAGE chipset

  35. What does a standard business computer look like? Laptop • 2 USB ports – Intel 82801DB Host controller • Generic PCMCIA (Cardbus) controller • 1 Network adapter - Broadcom • 1 sound card - Sigmatel • 1 ATI Mobility Radeon 9000

  36. Why do you care? • Most people think about attacks at the OS level and above with no thought to below.

  37. Increased complexity • You no longer have 1 computer • You have a complex system made up of many different smaller systems. • These systems are upgrade, updateable, and programmable…and hackable. • One of the most complicated subsystems, the video card. • GART

  38. What can you do to video cards? • Overclock them via software, hack firmware, change factory settings, in general “tweak them” • http://www.rage3d.com/r3dtweak/

  39. Why do you care? • Video cards, a subsystem of your computer, can be manipulated to do things that was never intended. • What other things can be manipulated? • What can be achieved? • How?

  40. What other components are complex? • Nvidia – building more and more complex software into hardware – Active Armor and nForce.

  41. Bus Mastering

  42. Bus Mastering • DMA is one form of bus mastering • Bus master refers to the device that controls the system bus • DMA is a simple form that allows for the setup of memory transfers with out the need for the CPU. • In these cases another device takes control of the System Bus. The device signals the CPU when the transfer is complete.

  43. What is DMA? • It really is Direct Memory Access. • Designed to allow components and subsystems to access system memory for read/write with out us CPU time. • Used in USB,PCMCIA (cardbus), disk controllers, video and sound cards, and firewire. • Think of it as how things get done inside your pc. • Requires DMA controller to work • Requires “bus request” to start transfer. • System DMA vs. Bus Master DMA • DMA deals with physical memory • Most transfers are done in direct mode

  44. What is DMA? • CPU is oblivious to DMA activities • Requires large contiguous physical memory regions, no page mapping on the host. • Scatter/Gather can be used to avoid the problem of not enough contiguous memory • Most OSes implement this at the driver level and include their own API for developing DMA applications, you don’t have to use these. • In fact without using the provided tools its much easier to coherence the machines into doing bad things.

  45. What is DMA • Not using provided and APIs increases complexity greatly and will slow down development. • I use a happy medium approach. • There isn’t really much in the way of security. (we are not currently discussing XP SP2 with DEP)

  46. How is DMA implemented? • Depends on the OS? • Windows XP • Linux • OSX

  47. How does DMA work?

  48. Transports that use DMA • USB • Easiest to access • A bit tricky to exploit • PCMCIA • Easy to access on laptops. • Building an exploit device may be expensive and require specialized knowledge. • AGP • Can use video card to do DMA transfer into system meory. • Disk Controllers • Hardest to access

  49. Owning over USB • How does USB work? • Universal Serial Bus • Devices are self identifying. • This allows for specific types of drivers to be handled by specific drivers. • Types of devices are HID, Communication, Mass Storage, Audio, and Streams, Chip/Smart card reader, Content Security, Device firmware upgrade. • Supports several different topologies. • Packet oriented protocol that is reminiscent of IP.

  50. What does USB look like?

More Related