Saturday, March 03, 2007
Rutkowska strikes again!
Most forensics work these days involves shutting down a system and studying the hard disk in isolation. The problem is that if you're studying malware and it's on a critical system or is written by somebody clever, it might live entirely in RAM.
So the arms race continued with ways to copy live RAM onto an acquisition device. Which of course any self-respecting rootkit can subvert.
So the arms raced continued with proposals to build hardware RAM-acquisition boards which would go into a PCI slot and use DMA to read system RAM. Foolproof, right?
Unless the malware author is as smart as Joanna Rutkowska, who observed that DMA requests do not go through the same mechanisms as CPU RAM access does, that the difference is configurable, and that malware with driver-level access can
This is beautiful work. It's theoretically detectable: it would take consummate artistry to change a block of RAM and have the result be internally and logically consistent.
If you are trying to prevent attacks like that, I don't see any way offhand. She studied AMD systems but there's no reason to think that others are less configurable.
Joanna Rutkowska presentation at BlackHat DC on defeating hardware-based rootkit detectors.
So the arms race continued with ways to copy live RAM onto an acquisition device. Which of course any self-respecting rootkit can subvert.
So the arms raced continued with proposals to build hardware RAM-acquisition boards which would go into a PCI slot and use DMA to read system RAM. Foolproof, right?
Unless the malware author is as smart as Joanna Rutkowska, who observed that DMA requests do not go through the same mechanisms as CPU RAM access does, that the difference is configurable, and that malware with driver-level access can
- Remap the DMA access from the acquisition card to be memory-mapped IO pointing back to the card, thus crashing the system that you couldn't afford to take down for study
- Redirect that memory-mapped IO to another PCI card and "cover" a set of addresses with unrelated bits in place of those the CPU sees
- Write to that other PCI card and control what the acquisition card sees.
This is beautiful work. It's theoretically detectable: it would take consummate artistry to change a block of RAM and have the result be internally and logically consistent.
If you are trying to prevent attacks like that, I don't see any way offhand. She studied AMD systems but there's no reason to think that others are less configurable.
Joanna Rutkowska presentation at BlackHat DC on defeating hardware-based rootkit detectors.
