Re: IEEE 1394 (FireWire) Memory Imaging

On Thu, 22 Feb 2007 11:28:42 EST, Tim said:
> I recently came across a fantastic (and alarming) tool kit for reading
> systems' memory over firewire:
>   http://www.storm.net.nz/projects/16

The original demonstration was for a Mac - google for 'pwn a mac with your ipod'
and that should find it. ;)

There's also Firescope: ftp://ftp.firstfloor.org/pub/ak/firescope/
which has been used for debugging Linux kernels.

> I just used it to dump memory off of my laptop while booted to both
> Windows XP and Linux.  I'm kinda surprised that this vulnerability
> hasn't been addressed in these OSes, since it has been known for some
> time, but I guess it's more of a hardware problem.

Well, the problem is that Firewire allows for DMA control from the other
end of the wire.

For Linux, it's addressable by either:

1) Making sure there's no ieee1394 driver loaded by blacklisting it in
whatever udev/modules file your distro uses for such things.  No driver
loaded means the near end of the wire isn't initialized, so it doesn't work.

2) Force the module to be loaded with the parameter 'phys_dma=0'.
This causes the ieee1394 chipset to be initialized with settings that
reject the DMA requests.

> In any case, I was wondering if anyone has used this technique to
> capture physical memory in investigations.

I'm sure that if it's been used to hack Macs and debug Linux kernels,
somebody is using it for investigations. :)

pgpIXbqI9fCCR.pgp
Description: PGP signature