Exploiting network card firmware
Adam Fields
cryptography23094893 at aquick.org
Thu May 15 18:11:02 EDT 2008
I didn't see Ben forward this himself, but it's definitely relevant to
the discussion of malware hiding in hardware:
"Without needlessly boring everyone with the various steps allow me to
share an interesting observation: drivers often assume the hardware is
misbehaved but never malicious. It is fascinating to discover what can
be done by making the hardware malicious.
[...]
3) from 1 & 2 above, after about two years, I've reached my goal of
writing a totally transparent firewall bypass engine for those
firewalls which are PC-based: you simply overwrite the firmware in
both NICs and then perform PCI-to-PCI transfers between the two
cards for suitably formatted IP packets (modern NICs have IP
"offload engines" in hardware and therefore can trigger on incoming
and outgoing packets). The "Jedi Packet Trick" (sorry, couldn't
resist) fools, amongst others, CheckPoint FW-1, Linux-based
Strongwall, etc. This is of course obvious as none of them check
PCI-to-PCI transfers,
4) I have extended the technique to provide VM escape support: one
writes packets from a bridged guest into the network which
initiates the NIC firmware update, updates the firmware and then
the NIC firmware is used to inject code into the underlying VM
host. The requirement to write to the network is then dropped as
all that is required is the pivoting in the NIC firmware.
"
http://www.links.org/?p=330
--
- Adam
** Expert Technical Project and Business Management
**** System Performance Analysis and Architecture
****** [ http://www.adamfields.com ]
[ http://www.morningside-analytics.com ] .. Latest Venture
[ http://www.confabb.com ] ................ Founder
[ http://www.aquick.org/blog ] ............ Blog
[ http://www.adamfields.com/resume.html ].. Experience
[ http://www.flickr.com/photos/fields ] ... Photos
[ http://www.aquicki.com/wiki ].............Wiki
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list