Security Risks of Firewire and PCMCIA DMA

Does anyone know of a way to mitigate or totally eliminate the risks of firewire and PCMCIA direct memory access on a running Windows XP system that has the keyboard/mouse/screen locked out?

Everything I've ever read has said just live with the risk because there's nothing you can do about it. Some have suggested just plugging the ports with epoxy. That's not a good solution and can probably be bypassed.

The problem seems to be that no matter how diligent you are, there's no software solution to this. These ports have direct access to RAM, so they can do virtually anything to your system. I'm sure there's a solution out there, but I have yet to run accross it.

Reply to
Loading thread data ...

Why not delete the drivers? That ought to do it!

Reply to
Rick Merrill

Exactly not. The point is that you don't need any drivers to interact with the hardware to set this up. Heck, your kernel could already be crashed, and still you could dump the entire RAM content over FireWire by issuing the relevant commands. A reasonable workaround would be to deactive Busmastering for the FireWire controller, a better would be a utility which disables FireWire debugging for the controller.

For PCMCIA, there is no workaround. PCMCIA is almost equivalent to PCI, which allows the hardware to take over the system as it likes, including sending arbitrary electrical signals to the system bus.

Reply to
Sebastian G.

Actually, you do need to enable the firewire device to allow for such commands; if it is disabled it will not work.


Reply to
Casper H.S. Dik

Sadly this is not the case. It heavily depends on whether busmastering was initially enable by the driver, when then disabling the driver will lead to the discussed state. If it was already enable by the ACPI BIOS Setup, then disabling the driver won't change anything. Depending on the implementatin, disabling it in the BIOS might change something, but I wouldn't count on that. Not to mention System Management Mode and ACPI firmware...

At any rate, disabling the device might not be appropriate if you actually want/need to use it.

Reply to
Sebastian G.

Okay, 2 possible solutions:

  1. deactivate bus mastering for the firewire controller
  2. disable firewire debugging for the controller

I'll be damned if I know how to do either. Could you list all the ways you know of to accomplish the above. I'll just do them all. I don't need firewire on the system in question. I'll do anything short of destroying the firewire capabilities, because I don't think that's reliable anyway.

If it doesn't work, at least I will have tried my best.

Regarding PCI, I was reading about something called Tribble that could compromise a system and get all the contents of RAM. But the trick was that it had to be installed before the system was turned on (I think). Is there any way that you know of to manipulate PCI on a running system to get a RAM dump?

Regarding the issue of disabling the drivers. If disabling the drivers causes the system to power down the port in question, does that mitigate any potential risks associated with the port? In other words, if I can confirm a port is powered down, do I have anything to worry about from that port?

Thank you.

Reply to

Turn of the FireWire controller in both BIOS and your OS, and then check whether you can still do kernel debugging over FireWire.

The real trick is how to insert a PCI card on the running system without breaking the bus arberitation.

Why using PCI? Snooping the system bus at the RAM controller is way easier.

Yes and no. It doesn't power down anything, but as long as busmastering was disabled before, there'll be no driver turning it on again.

Reply to
Sebastian G.

Fill the ports with dongles whose presence will be verified frequently; and do nasty things if they are not there...

Reply to
David Lesher Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.