On Thu, 2012-02-09 at 23:19, Russell Coker wrote: > On Thu, 9 Feb 2012, "Milan P. Stanic" <m...@arvanta.net> wrote: > > On Wed, 2012-02-08 at 17:56, Fernando Mercês wrote: > > > I think you're talking about syscall interceptions and related stuff. > > > You're right, we can't trust, but it in this case we're talking about > > > a very specialized malware and I don't see any fast action to bypass > > > it. Maybe the conclusion is that we can't trust anything, so we can't > > > do anything, but something need to be done, right? > > > > > > An option is load another kernel with kexec but we can't trust kexec. > > > What we do? > > > > What about device which can be tapped to the CPU of running machine and > > then 'take over' CPU. Such device could then read RAM, block devices and > > peripherals to save data for post mortem analysis. > > There are devices which use firewire to directly access system RAM. It is
AFAIK firewire must be enabled by kernel (CPU) to have access to RAM via DMA controller settings. Hacked kernel could disable DMA access to firewire (or any) controller. > also possible to design a PCI/PCIe card which does bus-mastering on external > control to dump RAM contents. I've seen a live demonstration of the use of > firewire to directly access system RAM, a system was compromised by having > some memory altered, dumping the RAM would be trivial by comparison. I'm not sure for modern computer architecture does CPU have to enable bus mastering for device on the bus? If so, malware could disable bus mastering for peripheral devices. > It has also been demonstrated that if you chill RAM to a low temperature then > you can extract it from the system with most of it's contents intact. Fifteen (maybe twenty) years ago I wrote small Forth interpreter which could run from 486 CPU cache, and at that time 486 have had 4KB cache. Theoretically, new generation malware could be designed to run from the CPU cache completely. -- Kind regards, Milan -------------------------------------------------- Arvanta, IT Security http://www.arvanta.net Please do not send me e-mail containing HTML code or documents in proprietary format (word, excel, pps and so on) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120209141629.ga6...@arvanta.net
