Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Hardware isn't always more trustworthy than software - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Hardware isn't always more trustworthy than software

Last week one of my colleagues mentioned that he found it strange that people always thought software was the issue when IT related issues occured. He hit the nail right on the head: is hardware really more trustworthy ?

Polish security researcher Joanna Rutkowska last week gave some good evidence that this need not always hold true. At the Blackhat conference in Washington, DC she showed three different scenarios in which software can fool hardware-based forensic acquisition of RAM memory.

The attacks, while still only theoretical, were developed for the AMD64 platform and could allow software running on a compromised system to cause such tools to crash, read out "garbage" data or in fact present them with fake content. This could make it impossible for a forensic investigator to discover malware in memory, even though it is in fact there.

Intelligence principles have always dictated we need to be very careful where we get our information from, and preferably triangulate it with other sources. Understanding whether the object sourcing us the information has motivation to lie to us, is becoming more and more important. In essence, Joanna shows that DMA (direct memory access) really isn't all that direct, and we need to better understand the limitations of our tools.

Maarten Van Horenbeeck


158 Posts
Mar 4th 2007

Sign Up for Free or Log In to start participating in the conversation!