Date: Thu, 6 Mar 2008 16:13:15 -0500
From: <Glenn.Everhart@...se.com>
To: <Larry@...ryseltzer.com>, <tim-security@...tinelchicken.org>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Firewire Attack on Windows Vista

Certainly in VMS there is DMA opened up, but only to buffers that are known
and checked to be legal for such.  This is a source of considerable complexity
in the drivers, and depending on hardware architecture (number of control registers
available, for example, to control DMA channels) limits both number of concurrent
operations and size of some operations. For example, the max size of magtape
records is limited, in part to conserve such bandwidth for use with disks. 

If driver writers adopt a "wild-west" approach where the DMA space is left wide
open, obviously the security of anything within memory is totally open to
whatever a smart peripheral may do.

It should be realized though that fixing this is not necessarily a simple
thing, nor are architectural considerations missing. But with the advent of
more and more smart "peripherals" (at least some of which are commonly user
programmable), open DMA access amounts to peek/poke control over all of memory
and the abdication by the OS involved of any pretense of security whatever.

As for what can be done by Windows (as opposed to "any OS"), that is perhaps
limited by the great range of underlying hardware. A compromise which might allow
DMA to/from disks, tapes, or CDs but disallow it for most other peripherals
might turn out to be the best general solution available, or something 
comparably ugly.

Glenn Everhart


-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk]On Behalf Of Larry
Seltzer
Sent: Thursday, March 06, 2008 3:36 PM
To: Tim
Cc: Full Disclosure; Bugtraq
Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista


>>No, the iPod device signature makes Windows drivers think it should
allow DMA access for that device because it detect it as a disk device.
>>Other disk device signatures would likely work the same way, that's
just the one he happened to emulate.

Is it not possible for Windows (or any OS) to open up DMA for a device
only to a certain range? 

If not, what options are available? 

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer@...fdavisenterprise.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----------------------------------------
This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law.  If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED.  Although this transmission and
any attachments are believed to be free of any virus or other
defect that might affect any computer system into which it is
received and opened, it is the responsibility of the recipient to
ensure that it is virus free and no responsibility is accepted by
JPMorgan Chase & Co., its subsidiaries and affiliates, as
applicable, for any loss or damage arising in any way from its use.
 If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format. Thank you.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists