IEEE 1394 (FireWire) Memory Imaging Feb 22 2007 04:28PM
Tim (tim-forensics sentinelchicken org) (2 replies)
Re: IEEE 1394 (FireWire) Memory Imaging Feb 23 2007 05:03PM
Christophe Monniez (d-fence swing be) (1 replies)
Re: IEEE 1394 (FireWire) Memory Imaging Feb 23 2007 06:09PM
Tim (tim-forensics sentinelchicken org)
Re: IEEE 1394 (FireWire) Memory Imaging Feb 23 2007 02:57PM
Valdis Kletnieks vt edu (1 replies)
On Thu, 22 Feb 2007 11:28:42 EST, Tim said:
> I recently came across a fantastic (and alarming) tool kit for reading
> systems' memory over firewire:

The original demonstration was for a Mac - google for 'pwn a mac with your ipod'
and that should find it. ;)

There's also Firescope:
which has been used for debugging Linux kernels.

> I just used it to dump memory off of my laptop while booted to both
> Windows XP and Linux. I'm kinda surprised that this vulnerability
> hasn't been addressed in these OSes, since it has been known for some
> time, but I guess it's more of a hardware problem.

Well, the problem is that Firewire allows for DMA control from the other
end of the wire.

For Linux, it's addressable by either:

1) Making sure there's no ieee1394 driver loaded by blacklisting it in
whatever udev/modules file your distro uses for such things. No driver
loaded means the near end of the wire isn't initialized, so it doesn't work.

2) Force the module to be loaded with the parameter 'phys_dma=0'.
This causes the ieee1394 chipset to be initialized with settings that
reject the DMA requests.

> In any case, I was wondering if anyone has used this technique to
> capture physical memory in investigations.

I'm sure that if it's been used to hack Macs and debug Linux kernels,
somebody is using it for investigations. :)
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001


[ reply ]
Re: IEEE 1394 (FireWire) Memory Imaging Feb 23 2007 06:00PM
Tim (tim-forensics sentinelchicken org)


Privacy Statement
Copyright 2010, SecurityFocus