It is currently Thu Mar 28, 2024 1:01 pm



Reply to topic  [ 2 posts ] 
Implementing and Detecting a PCI Rootkit 
Author Message
Emperor
User avatar

Joined: Wed Apr 16, 2003 1:25 am
Posts: 2560
Reply with quote
Post Implementing and Detecting a PCI Rootkit
A fresh thing.
Quote:
This paper discusses means of persisting a rootkit on a PCI device containing a flashable expansion ROM. Previous work in the Trusted Computing field has noted the feasibility of expansion ROM attacks (which is in part the problem that this field has set out to solve), however the practicalities of implementing such attacks has not been discussed in detail. Furthermore, there is little knowledge of how to detect and prevent such attacks on systems that do not contain a Trusted Platform Module (TPM).


http://www.ngssoftware.com/research/pap ... ootkit.pdf

_________________
++


Sat Jan 13, 2007 3:55 pm
Profile WWW
Felix Rex
User avatar

Joined: Fri Mar 28, 2003 6:01 pm
Posts: 16646
Location: On a slope
Reply with quote
Post 
Is it me, or does that article seem a bit like a paid endorsement for "Trusted Computing"...which just means that the manufacturers take away your control of your own computer.

Anyway, I seem some weaknesses in the argument.

1. The argument assumes that overwriting a FLASHable area of a PCI device or the system BIOS is feasible...this has several flaws.
a. system bios is (or should be) set to nonwriteable by default, with the only way to turn off the writeability to be prior to BIOS transferring control to the hard drive. I'm not sure if that's the way it is, but I do know that most (all) BIOS can be set to virus-safe. This presumably will defend against any overwriting attempts.

b. There's no standard PCI interface. BIOS is controlled by a small group of manufacturers, so a flaw in the BIOS protection could cause massive vulnerability. With PCI this is not the case. I would find it hard to point at any single device that even 5% of the PCs in the world contain, especially with a similar BIOS structure. Any kind of exploit would target such a small group as to be useless...you'd be better exploiting something with a larger penetration capability.

2. Trusted computing seems to be hailed as the saviour for root kits...but that's BS too. There's nothing that can be done that won't contain flaws. Look at DVD...it was built with security in mind, and has long been cracked. Even the HD disks have been cracked already, and they haven't been on the market very long. Like most DRM, chances are the only thing that Trusted computing will hurt are legitimate users.

Anyway, pardon my rant, but Trusted computing is IMO a very, very bad thing. I will never buy a computer that has "Trusted Computing" built into it. I control my PC...not the manufacturer.

_________________
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.


Sun Jan 14, 2007 2:47 pm
Profile WWW
Display posts from previous:  Sort by  
Reply to topic   [ 2 posts ] 

Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by STSoftware.