ClanKiller.com
http://forums.clankiller.com/

Implementing and Detecting a PCI Rootkit
http://forums.clankiller.com/viewtopic.php?f=24&t=2161		 Page 1 of 1
Author:  RB [ Sat Jan 13, 2007 3:55 pm ]
Post subject:  Implementing and Detecting a PCI Rootkit
A fresh thing.
Quote:
This paper discusses means of persisting a rootkit on a PCI device containing a flashable expansion ROM. Previous work in the Trusted Computing field has noted the feasibility of expansion ROM attacks (which is in part the problem that this field has set out to solve), however the practicalities of implementing such attacks has not been discussed in detail. Furthermore, there is little knowledge of how to detect and prevent such attacks on systems that do not contain a Trusted Platform Module (TPM).


http://www.ngssoftware.com/research/pap ... ootkit.pdf
Author:  Satis [ Sun Jan 14, 2007 2:47 pm ]
Post subject: 
Is it me, or does that article seem a bit like a paid endorsement for "Trusted Computing"...which just means that the manufacturers take away your control of your own computer.

Anyway, I seem some weaknesses in the argument.

1. The argument assumes that overwriting a FLASHable area of a PCI device or the system BIOS is feasible...this has several flaws.
a. system bios is (or should be) set to nonwriteable by default, with the only way to turn off the writeability to be prior to BIOS transferring control to the hard drive. I'm not sure if that's the way it is, but I do know that most (all) BIOS can be set to virus-safe. This presumably will defend against any overwriting attempts.

b. There's no standard PCI interface. BIOS is controlled by a small group of manufacturers, so a flaw in the BIOS protection could cause massive vulnerability. With PCI this is not the case. I would find it hard to point at any single device that even 5% of the PCs in the world contain, especially with a similar BIOS structure. Any kind of exploit would target such a small group as to be useless...you'd be better exploiting something with a larger penetration capability.

2. Trusted computing seems to be hailed as the saviour for root kits...but that's BS too. There's nothing that can be done that won't contain flaws. Look at DVD...it was built with security in mind, and has long been cracked. Even the HD disks have been cracked already, and they haven't been on the market very long. Like most DRM, chances are the only thing that Trusted computing will hurt are legitimate users.

Anyway, pardon my rant, but Trusted computing is IMO a very, very bad thing. I will never buy a computer that has "Trusted Computing" built into it. I control my PC...not the manufacturer.
Page 1 of 1 All times are UTC - 6 hours
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/