The Null Device

2008/10/17

Several researchers at UIUC have written a paper on how one could insert general-purpose back doors into a CPU, allowing those in the know to pwn any machine running on it, almost undetectably:

We present the design and implementation of Illinois Malicious Processors (IMPs). There is a substantial design space in malicious circuitry; we show that an attacker, rather than designing one specific attack, can instead design hardware to support attacks. Such flexible hardware allows powerful, general purpose attacks, while remaining surprisingly low in the amount of additional hardware. We show two such hardware designs, and implement them in a real system. Further, we show three powerful attacks using this hardware, including login backdoor that gives an attacker complete and highlevel access to the machine. This login attack requires only 1341 additional gates: gates that can be used for other attacks as well. Malicious processors are more practical, more flexible, and harder to detect than an initial analysis would suggest.

And here are some details:

Our memory access mechanism provides hardware support for unprivileged malicious software by allowing access to privileged memory regions. Malicious software triggers the attack by forcing a sequence of bytes on the data bus to enable the memory access circuits. This sequence can be arbitrarily long to avoid false positives, and the particular sequence must be agreed upon before deployment. Once the sequence is observed, the MMU in the data cache ignores CPU privilege levels for memory accesses, thus granting unprivileged software access to all memory, including privileged memory regions like the operating system’s internal memory. In other words, loading a magic value on the data bus will disable protection checking. We implement this technique by modifying the data cache of our processor to include a small state machine that looks for the special sequence of bytes, plus some additional logic in the MMU to ignore privilege levels when malicious software enables the attack.

Using the shadow mode mechanism, we implement a malicious service that acts as a permanent backdoor into a system (Figure 2). To initiate the attack, an attacker sends an unsolicited network packet to the target system and the target OS inspects the packet to verify the UDP checksum. The act of inspecting the packet (necessary to decide if it should be dropped) triggers the trojaned hardware, and the malicious service interprets the contents of the packet as new firmware that it loads into the processor invisibly. The target operating system then drops the unsolicited packet and continues operation, oblivious to the attack.

And there's more, including ways of stealing passwords.

And if civilian security researchers have just discovered this, it's not unlikely that ones in intelligence agencies have had such techniques for a while. I wouldn't be surprised if the NSA had similar back doors in all US-designed CPUs likely to end up on the export market, just in case, or if the Chinese government had similarly altered CPUs (or other strategic components) being manufactured on Chinese production lines, or indeed if other intelligence agencies had managed to get their own hooks into the silicon.

(via Schneier) ¶ hacks security skulduggery tech 1

The Times reports that paedophiles and terrorists are joining forces online into a unified axis of unstoppable evil.

Secret coded messages are being embedded into child pornographic images, and paedophile websites are being exploited as a secure way of passing information between terrorists.

It is not clear whether the terrorists were more interested in the material for personal gratification or were drawn to child porn networks as a secure means of sending messages. In one case fewer than a dozen images were found; in another, 40,000.

And another piece, looking for a rationale for the paedoterrorist nexus:

Some paedophiles have become adept at encrypting information and burying it so deeply in the internet that no outsider can easily find it. Paedophiles then meet in cyberspace and swap notes on how to reach the images. None is likely to rush to police saying they suspect that they have spotted a terrorist loitering on their child porn website.

Another area investigators will want to explore is the similarity between the personalities of paedophiles and terrorists. “If they are going out, a lot of time is spent by going to the mosque or going off to internet cafés,” the source said.

Of course, there is no way that the timing of these explosive and terrifying revelations could have anything to do with the government's plans for an "Orwellian" database of all phone calls, emails and internet communications in Britain facing opposition.

¶ crime fear internet paedoterrorists the long siege 3

The Null Device, being a stream of links and commentary on culture, technology, current events and whatever the author finds interesting.

With your host, acb.

This site makes no pretense of being objective and no guarantees of accuracy.

As this blog is produced in a facility that processes sarcasm, individual posts may contain traces of sarcasm.

S	M	T	W	þ	F	Sa
«	Oct 2008					»
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31