On Thu, 9 Feb 2012, "Milan P. Stanic" <m...@arvanta.net> wrote: > On Wed, 2012-02-08 at 17:56, Fernando Mercês wrote: > > I think you're talking about syscall interceptions and related stuff. > > You're right, we can't trust, but it in this case we're talking about > > a very specialized malware and I don't see any fast action to bypass > > it. Maybe the conclusion is that we can't trust anything, so we can't > > do anything, but something need to be done, right? > > > > An option is load another kernel with kexec but we can't trust kexec. > > What we do? > > What about device which can be tapped to the CPU of running machine and > then 'take over' CPU. Such device could then read RAM, block devices and > peripherals to save data for post mortem analysis.
There are devices which use firewire to directly access system RAM. It is also possible to design a PCI/PCIe card which does bus-mastering on external control to dump RAM contents. I've seen a live demonstration of the use of firewire to directly access system RAM, a system was compromised by having some memory altered, dumping the RAM would be trivial by comparison. It has also been demonstrated that if you chill RAM to a low temperature then you can extract it from the system with most of it's contents intact. But these aren't things that you start thinking of after you have a compromised system, most desktop systems and servers don't have firewire and almost no systems have a PCI/PCIe card to dump RAM. Using dry-ice or liquid nitrogen on RAM isn't something that you would do without some planning either. > Although some secret agencies could already have something like that > I'm not sure that it is commercially available or it will in the near > future. There are some people who would provide such things for the right money. > If someone think that hardware manufacturer could design and put on the > market computers with such option built in, I suspect that it will be > suppressed by legislator. No, it would be suppressed by the people who want to save every last cent on manufacture. Anything that isn't the cheapest way of designing a system is going to be a really expensive optional extra. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201202092319.45519.russ...@coker.com.au
