lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Bios programming... On Thu, 03 Mar 2005 13:44:39 EST, Matt Marooney said: > 1. I would like the program to be "un-installable". I've heard of a Did you mean "un-installable", as in "an inability to be installed", or "non-uninstallable", as in "not removable"? :) In any case, some time with Google will probably find you an Agobot or spyware that will give you lots of hints on how to create a hard-to-remove program. ;) > couple of hardware security tracking services that can load a very small > setup package in the CMOS and if a computer is stolen, and the hard > drive is replaced, the app reloads itself and the next time the computer > is on the internet, it sends out a beacon. Does anyone have any insight > about how to do something like this? I want the CMOS program to run on > boot, and check to see if the monitoring software is still installed. > If it is not, the boot process reloads it. Note that this would almost certainly require an additional PROM chip, and hooks into the BIOS to invoke it at the right points. Note that about all it can probably do is "If the disk is different, toss a crafted packet out the Ethernet and hope for the best". Note that you're probably screwed if they either reboot while not on the net, or re-flash the BIOS with the original vendor BIOS (which implies further hardware hacks to make the box not bootable with the original vendor BIOS image). If you want it to additionally run a program in the "background", you'll have to get the operating system to cooperate. > 2. obviously, the program does not need to be very large, so I want it > to run in the background and not be visible to the computer's user. This > is easy, I know, but I want the process to be completely invisible. > (even to super-geeks) Remember that in general, the BIOS is in control before boot, but after boot, the BIOS is not in any meaningful control anymore. Ask yourself what happens if your problem user boots a Knoppix CD that doesn't want to play nice with your CMOS? > 3. I would like to figure out a way to monitor traffic for multiple > protocols (HTTP, FTP, File Sharing, Chat, etc.) . I'm wondering if > there is a way to figure out "bad" requests on a packet level. Take a look at Snort or other similar IDS, that tries to do that - particularly in terms of the size of the binary, and the system load impact. And then ask yourself if something that big is easily hidden inside the BIOS functionality (and consider carefully how many vendors ship totally borked ACPI DSDT's or just broken BIOSes).... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050303/0ead1997/attachment.bin
Powered by blists - more mailing lists