undefined | Better HN

0 pointssweis12y ago0 comments

TRESOR is only effective against passive forensics and only protects key material.

It does not protect against an attacker able to manipulate memory contents through, say, DMA or other malicious devices.

0 comments

3 comments · 1 top-level

schoen12y ago· 2 in thread

Hi Steve,

I remember the DMA situation from a few years ago being quite bad, and it looks like you or one of your colleagues has posted some good resources on that at

http://privatecore.com/resources-overview/physical-memory-at...

I realize that with PrivateCore you're taking quite a comprehensive approach to this problem and not bothering with more piecemeal counterforensic approaches, but I'm still curious about what counterforensic techniques exist for people who aren't going as far as you are. For example, can we make stock Linux deny memory access on external buses with a software policy, or is this simply not something that can be accomplished from software?

I imagine you have good arguments for why the piecemeal approach is likely to fail in the face of an skilled forensic attacker. But many of the attacks that you described to me when we last talked about this were more along the lines of hardware-assisted Evil Maid attacks in an unmonitored and unsupervised colo, rather than forensic attacks against an unmodified encrypted laptop. I'm curious about how different the threat scenarios are between these two cases now.

sweisOP12y ago

Enabling IOMMU is one relatively easy software mitigation to DMA attacks. There are some gaps, but it stops the trivial cases where a device can access all of memory.

JoachimSchipper12y ago

> [IOMMU:] There are some gaps

Do you happen to have a link where I can read more about those?

j / k navigate · click thread line to collapse