https://news.ycombinator.com/item?id=7113788
A couple years ago, I chased down and tackled a guy who snatched my laptop on the Blue Line in Chicago. The threat of laptop theft is real and I'd like to mitigate the damage that would result without compromising my ability to work.
If other ports are exposed that offer DMA capabilities, then they need to be disabled. Don't load the drivers/epoxy the physical ports.
I was not aware that a new connector would reopen such a massive vulnerability. (Docking ports may also have some issue, but since they're proprietary it wouldn't matter.)
That said, I think my assessment is still accurate. If you're just worried about a theft, it seems very unlikely they'd run these kinds of tools before restarting. And even then, why bother? Why not just reformat the machine, if it's just a theft? If you have actual enemies "then keep your laptop physically secured and powered off. And don't use it after breaking chain of custody."
The really shitty thing is that some new laptops (W540) apparently don't ship DisplayPort or other digital video, but just Thunderbolt.
As most (if not all) disk encryption programs store an expanded version of the key in memory, there is significant redundancy to recover from the partially lost data.
And yes, me, a not particularly security-oriented guy, did this fairly quickly as a demonstration for coworkers. It required only marginally more than script kiddie levels of knowledge.
The solution is an IO memory management unit with virtualized access to physical memory. I am not sure how you can actually enforce this to devices on the bus though.
> Attack Mitigation : OSX : Don’t panic – if you are using FileVault2 and OS X Lion (10.7.2) and higher, the OS will automatically turn off DMA when locked – you’re still vulnerable to attacks when unlocked, though
So it sounds like Apple has patched it. You just have to make sure your machine is locked.
http://support.microsoft.com/kb/2516445
It's a well known limitation/tradeoff. Newer machines might ditch DisplayPort for Thunderbolt, which will really suck.
"The drawback of this mitigation is that external storage devices can no longer connect by using the 1394 port, and all PCI Express devices that are connected to the Thunderbolt port will not work. Because USB and eSATA are so prevalent, and because DisplayPort often works even when Thunderbolt is disabled, the adverse effect caused by these mitigations should be limited. "
The problem here is fundamentally one of performance - PCIe and other devices cannot function efficiently without direct memory access. The only reason FireWire was capable of the speeds it originally was, was because of DMA. USB didn't have DMA (and still doesn't? I think..) and so for shuttling large amounts of uncompressed data into the address space of a consuming application, it was incredibly inefficient to involve the CPU.
PCI-Express and other buses followed a similar route - DMA is vastly superior to every other way of transferring data.
Theoretically an I/O memory management unit with virtualization support could protect your machine, but I don't know if any OSes and hardware combinations actually use that to protect the machine.
I suppose it made sense when Macs and PCs ran single-user OSes on hardware that lacked memory protection. Keeping the default behavior from that day is not wise for, well, last decade or so. (Fresh OSX seems to have changed accordingly, as the tool's page mentions.)
Attacks over FireWire or SCSI were part of the threat model that the Palladium team was concerned about.
Q: Isn’t FireWire a dying horse? Few laptops ship with FireWire ports these days, which makes Inception a useless tool.
A: You can use any interface that expands the PCIe bus, for example PCMCIA, ExpressCards, the new Thunderbolt interface and perhaps SD/IO to hotplug a FireWire interface into the victim machine. The OS will install the necessary drivers on the fly, even when the machine is locked.
Ensure that FireWire drivers are present and not removed from the system
In other words, if you don't have FireWire drivers installed, then this won't do anything; another plus for not installing the drivers for those who have a system with FireWire ports but never need to use them.
My laptop has both FireWire and USB controllers disabled, the former because I never use it and the latter because I almost never use it - and when I do, I find it's not too much hassle to go into the Device Manager and enable the one for the one port I intend to use. Another positive side-effect is that the USB drivers seem to take a rather long time to initialise, so booting is much faster without them.
I wonder how to block this... It seems like it can only write to the lower 4 GB... RAM is cheap... so add an addtional 4 GB and then modify the kernel to load everything critical above the boundary?
http://www.youtube.com/watch?v=ynzcUw9wv0E#t=18 (where rubber cement is the leaf. just go around it!)
So, not really a problem then?
[1] https://developer.apple.com/library/mac/documentation/Hardwa...
In the end, unless you can coerce a DMAR table out of the machine, I'm not sure how you can tell if the thing actually supports VT-d.
1. Is there yet any I/O firewall like Little Snitch or Hands Off! are for files and network?
2. Linux and Windows also desperately need I/O firewalls.
Thunderbolt on Windows 8 has an option for Allow DMA by Default, or not. This option is so that you can do a bit more prioritizing of your bandwidth.
Windows 8 also has a setting for "install new hardware automatically" which if you disable you can only install hardware if you are logged in and click the install button.
Windows 8 will also not allow you to install a new device if you are not logged in as Admin, or you have the Annoying UAC enabled.
So while Mac and some Linux systems will have this vulnerability because you don't have to be an admin to have new hardware enabled if the drivers are on the system, Windows should be safe unless you changed your rights.
On a corporate network with machines where the users run in least user privilege, Windows 8, and Windows 7 users are safe.
Phew.
