Hacker Defeats Hardware-based Rootkit Detection 126
Manequintet writes "Joanna Rutkowska's latest bit of rootkit-related research shatters the myth that hardware-based (PCI cards or FireWire bus) RAM acquisition is the most reliable and secure way to do forensics. At this year's Black Hat Federal conference, she demonstrated three different attacks against AMD64 based systems, showing how the image of volatile memory (RAM) can be made different from the real contents of the physical memory as seen by the CPU. The overall problem, Rutkowska explained, is the design of the system that makes it impossible to reliably read memory from computers. "Maybe we should rethink the design of our computer systems so they they are somehow verifiable," she said."
I thought this was invalid anyway (Score:4, Insightful)
ie remove the drive/devices and check them all.
well (Score:1, Insightful)
Re:I thought this was invalid anyway (Score:5, Insightful)
DRM (Score:3, Insightful)
Yay, DRM in every piece of hardware to the rescue!
Re:DRM (Score:4, Insightful)
Sounds actually like the exact opposite. DRM tries to hide away things, while this would give devices the ability to see everything that goes on inside the system RAM.
Re:she shatters two myths really ... (Score:3, Insightful)
It's true that there are more males than females in in CompSci, but the ones which are there are no more and no less attractive than the average girl in any other line of work. Same goes for the males.
What the people in CompSci do share is an above-average passion for computing, abstract thinking and maths. (or if they don't they don't belong in CompSci regardless of sex) but neither of these things have any influence on looks.
BIOS (Score:2, Insightful)
Trying to have her cake and eat it too? (Score:5, Insightful)
And now a year later, she claims we need specialized hardware interfaces to scan memory for rootkits, even though this problem is laughably easy in the world of virtual machines.
And on to the actual work [com.com] ... the research basically observes that MTTR registers (some of the MSRs in the CPU) can cause memory mappings to look different between the CPU and the northbridge, and then comes up with a pretty easy way to cause the northbridge to either lock up or read data that is different (really easy once you see the specs for the appropriate registers). And she totally ignores the possibility of a system defending itself against this attack by verifying the registers she's modifying. Lousy research, girl.
Oddly enough, this "hack" is ALREADY IN USE ON YOUR SYSTEM and is actually necessary. See, when the processor is running in SMM (System Management Mode), it switches to exactly this configuration: the PCI bus sees VGA hardware mapped at the well-known address, but the processor maps the RAM at that address, which gives SMM mode a few kilobytes of memory that the normal system can't touch. SMM mode is used for things like "legacy USB devices" (e.g. having your USB keyboard act like PS/2 so DOS can use it) and other implement-in-software hacks that your OS doesn't know about, but your BIOS vendor gives you as "value-added features".
good luck... (Score:3, Insightful)
Quite the opposite (Score:3, Insightful)
DRM is exactly the opposite. Locking away your computer's inner workings from you, taking away your chance to see what's going on inside.
Re:AACS "Improvement" (Score:2, Insightful)
Re:I thought this was invalid anyway (Score:3, Insightful)