13 February 2014
Network Interface Card SSH Rootkit
Related papers by Arrigo Triulzi:
http://www.alchemistowl.org/arrigo/
Project Maux Mk.II
http://t.co/h1gDtV4Vlr
The Jedi Packet Trick takes over the Deathstar
http://t.co/ENlITkJEoX
Project Booshoo or the Emporer's Modified
Mind https://t.co/33trlpJkFG
Date: Thu, 13 Feb 2014 09:19:13 +0100
From: Matej Kovacic <matej.kovacic[at]owca.info>
To: cypherpunks[at]cpunks.org
Subject: Re: Snowden and Compilers
> It was demonstrated well before then, Arrigo Triulzi had demonstrated
running
> an SSH server inside a NIC several years earlier.
Below is a text of interview with Triulzi, from 2009. Website where this
was published has some technical problems (only Slovenian version is published,
but English will be recovered in a day or two).
Meanwhile, web.archive version is available:
https://web.archive.org/web/20090929091150/http://slo-tech.com/clanki/09010/en
Slovenian version
(https://slo-tech.com/clanki/09010/)
has a screenschoot of NIC SSH in action.
_____
"All
your firmware are belong to us"
Matej Kovacic :: 26 september 2009
Interview with independent security and networking consultant Arrigo
Triulzi
Arrigo
Triulzi is an independent security and networking consultant, working
out of Geneva in Switzerland. He is a mathematician by training but has been
a consultant for over 20 years. His hobby is firmware research. In November
2008 he had a presentation about
project
Maux -- his research about firmware rootkits.
Since firmware rootkits and exploits are interesting area of research, we
decided to make a short interview with him to present this topic to our readers.
Matej Kovacic: First question -- could you describe
rootkits for our readers in a few words?
Arrigo Triulzi: A rootkit is normally defined as a collection
of tools which allow the remote control of a system. They generally consist
of at least a sniffer, a password cracker and a backdoor.
Matej Kovacic: What is the difference between software
and hardware rootkits?
Arrigo Triulzi: A software rootkit is tailored to an operating
system, often a specific version of an operating system, a hardware rootkit
is tailored to the hardware of a specific system and is therefore operating
system independent. A reinstall of software on a system infected with a hardware
rootkit has no effect on the rootkit's operation.
Matej Kovacic: Last year you had the presentation about
malicious code, stored on a network card. Could you describe what is the
general idea of hardware rootkits and what exactly have you done?
Arrigo Triulzi: The idea behind hardware rootkits (see John
Heasman's ACPI work, Jason Larson's work on in-memory rootkits, earlier work
by the Austrian TESO group and Rutkowska's recent work on AMT) is simply
to have rootkits which are operating system independent and, in some cases,
hardware independent.
Hardware independence is given by the fact that a rootkit running in a network
card works independently of where that network card is used: if it is in
an IBM Power workstation, a Dell PC, a high-end switch or a MIPS-based SOHO
router. As long as the NIC chip is the same then it will work.
What I have done is to modify the NIC firmware in such a way that it can
react to external commands and, in association with other equipment on the
motherboard (the video card, specifically), provide a remote shell.
This remote shell is capable of viewing the system memory from which you
can extract whatever is of interest (passwords stored in clear, keyboard
buffers, graphics buffers, etc.).
An extension of this work is to provide a direct communications channel between
two NICs thereby providing a bypass in a firewall which is totally invisible
to the firewall's operating system.
Matej Kovacic: How were you able to load your firmware
into the card? You need some special hardware device or you can do it simply
from the computer? Is there any protection, like digital signatures of new
firmware?
Arrigo Triulzi: Well, as all research projects it evolved
from using the flash update program which came with the NIC and simply feeding
it my modified firmware to using more sophisticated techniques like discovering
a remote update capability. The current version simply sends the appropriate
packets to vulnerable cards and updates them.
Different manufacturers use different layers of protection and it is a general
observation that the cheaper the NIC the worse the protection is. Quite a
few high-end cards make use of digital signatures to verify that the new
firmware is indeed from the manufacturer.
Matej Kovacic: How hard was to develop such a code,
what kind of a knowledge and equipment do you need?
Arrigo Triulzi: It all started out of curiosity and took
about two years of working when I had time to spare. The knowledge I built
as I went along and, for the hardware, by asking my father who used to design
computers.
Matej Kovacic: Approximate, about how many man-hours?
By your opinion, how much would need some well funded criminal
organization?
Arrigo Triulzi: Well, I would say that it took me approximately
500 man-hours to get to the stage of having a working "shell" (it cannot
really be called a real shell as the commands are very limited). I doubt
that a well-funded organization would need much more time than I needed but
it should be noted that the ROI does not make the endeavour worthwhile: while
the current mechanisms work (phishing, viruses, etc.) there is no point in
spending time and money to go down the hardware route.
Matej Kovacic: There are several producers of network
cards. How many chipsets are in use? Rootkits for every branch should probably
differ. How much? Would it be possible to develop generic ethernet card
rootkit?
Arrigo Triulzi: As I describe in my paper the marketing
department is your worst enemy: there are literally thousands of variants,
many of which are only ever documented in the OEM datasheets, and often little
changes (deltas) in the NIC production line cause my modified firmware to
fail.
A perfect example: I bought two 10-pack of allegedly identical NICs (identical
model numbers) and the production batches differed enough that I needed to
have two separate versions. The changes were minor but it was only when I
looked carefully at the main chip on the NIC that I realized that they were
different revisions of the same chip.
Now, can a generic NIC rootkit be developed? I don't know, it might be possible
to write a NIC rootkit which works across families in the same way that a
kernel can run (at times suboptimally) on CPUs from Pentium through Core
i7 but I have not really looked at it.
Matej Kovacic: If you can run a custom code on a network
card firmware, you have direct memory access to RAM...
Arrigo Triulzi: Yes, you do, via DMA.
Matej Kovacic: Which means you can easily read and write
memory without CPU knowing anything about it... What are the other security
impacts of this and of your research?
Arrigo Triulzi: Well, the first problem is that it is invisible
except for the traffic on the network side - if you want to take data out
then you must pass it over the network and this means that it could be detected.
On the other hand the operating system has no hope unless it has some way
of comparing the current firmware with the original one.
The security impacts are a simple extrapolation of the above: you can read
(and write) data into any system in a way which is currently totally
undetectable.
Matej Kovacic: How to detect such attack? It seems software
techniques are long time not enough to keep us secure...
Arrigo Triulzi: The only way would be trusted computing
if implemented properly and without the DRM halo which it normally carries:
it would mean that the firmware on the NIC is trusted by the system and therefore
any modification would be detected and prevented.
There is probably no easy way to detect it in software - a simply firmware
comparison could be tricked by keeping a copy of the parts which were modified
on the firmware and returning those to anyone trying to download the firmware
for verification.
Matej Kovacic: How exactly would be possible to detect
if firmare is correct? TPM chip on every device?
Arrigo Triulzi: Well, if we were to implement TPM in such
a way that every component of a system is verified for both security and
integrity (it would be nice to know if your NIC is about to fail, independently
of the security of the device). This makes the boot process complicated because
you start having issues with chicken & eggs: what part of the hardware
needs to be powered up and in what order? How do you execute correctly and,
more importantly, securely, a WOL (wake-on-LAN) packet?
If you start thinking about it you realize that it is not a trivial issue
at all: if you need to process a WOL packet it means that you have to have
the NIC wake up first, but then how does the TPM verify that the WOL packet
has not tampered the NIC? Do you do it later in the process? But then how
do you know that the NIC has not tampered with other parts of the system
or, worse, is replying pretending to be other devices on the PCI bus to the
TPM queries? The paranoid can head for the hills now.
Matej Kovacic: What if someone installs malicious code
in the factory?
Arrigo Triulzi: This is obviously a nightmare -- you get
a pre-installed botnet with your Christmas PC purchase. It is one of the
examples I always use: someone installing modified NIC firmware at Dell just
before the Christmas rush, Dell ships loads of PCs and mid-January we have
a gigantic botnet distributed around the planet by DHL. No chance of seeing
the infection vector because it never touches the Internet until the botnet
is unleashed. See it as an out-of-band infection mechanism.
Matej Kovacic: How much memory does have network card?
How big can be malicious firmware?
Arrigo Triulzi: Very very little. This is why I had to branch
out to the GPU (video card) to find memory to put my shell in. I only really
use the smallest amount of RAM and firmware space on the NIC device, everything
else is done via DMA on the video card. In my first paper on NIC firmware
modification (presented at a closed conference) I gave the figure of
approximately 5s of sniffer data being held on the device before the RAM
filled up.
Matej Kovacic: Have you heard of Phenoelit research of
security of IOS operating system?
Last
year they demonstrated an interesting attack on Cisco routers
â they
sent
one special packet through router and were able - for instance - to change
firewall rules.
It seems it would be possible to bypass the network filters by smuggling
network card into the company, penetrate network routers from inside, get
internet access to compromised ethernet card and... the sky is the limit?
Arrigo Triulzi: Indeed I have read Phenoelit's research
and rather than smuggling a NIC into the company a better trick would be
to take over the firewall directly: if the firewall has NICs which are vulnerable
you can use something I call the "Jedi Packet Trick" to take over the external
NIC, then via the PCI bus infect the internal NIC and pass packets directly
between the two NICs. The name obviously comes from the Jedi Mind Trick used
to bypass the Imperial Stormtroopers ...
Matej Kovacic: Last month we saw a malicious code could
be also runned on a Mac keyboard. Joanna Rutkowska and her team had shown
how vulnerable are hypervisors. Which hardware could also be exploited?
Arrigo Triulzi: Well, anything with a CPU: from the service
processors (IPMI, AMT, HP iLO) to SATA disks, to SCSI controllers, to video
cards (these I've already done some work on), network cards, etc.
Matej Kovacic: Yes, in your presentation you mentioned,
you are able to connect to video cards through network card (via PCI-to-PCI
transport) and run a malicious code there. This is much more powerful, because
video cards have much more memory and GPU has much more computing power...
Could you explain this in more detail?
Arrigo Triulzi: Quite simply the NIC is not powerful enough
to do much more than take packets off the wire and route them to a different
location over the PCI bus. You therefore need somewhere to run more complex
code and the obvious answer is (avoiding software, of course) the GPU: the
current crop from both ATI and nVidia are extremely powerful and nVidia comes
with a good open-source development kit.
So the packets come into the NIC, they are checked to see if they are to
be forwarded to the video card or are legitimate packets, they get to the
video card which processes the command and sends the reply back through the
same route.
Matej Kovacic: We haven't seen much security research
about hardware based attacks (comparative to software based attacks). Is
there any security testing of a new hadrware?
Arrigo Triulzi: Not really, no. At the moment hardware security
rests with manufacturers. I suspect that governments will test hardware security
for their more sensitive applications.
Matej Kovacic: Maybe some advice what to do if you are
really paranoid about security?
Arrigo Triulzi: As things stand I would recommend using
pen and paper... More seriously now: hardware rootkits are very sexy but
hardly what is needed these days. What is the point of a sophisticated hardware
rootkit when you can gain control of a user's machine by simply sending a
malicious image as part of a website or a malicious attachment with an e-mail?
At the moment the return on investment for hardware rootkits do not make
them viable so they are simply not going to be used except where they are
really needed which, in my opinion, is at the level of serious industrial
espionage. So the answer is that you had better concern yourself with securing
what you already use and make sure that your online behaviour is not reckless,
mail programs should come with three to five layers of big red dialog boxes
before they let you open an attachment of any kind...
Matej Kovacic: I agree. But if you are a big company
or government organization, this things can become important. And then it
is only a question of trust. I mean, at the end of the day, you have to trust
someone â your software, your OS, your hardware. Who do
you trust?
Arrigo Triulzi: As I mentioned earlier the more expensive
cards do come with signed firmware. If you decide to purchase the very cheapest
equipment then chances are that one of the areas the company
didnât invest in is security. If you are a government
organization you often already have a source license for Windows, for example,
and it is just routine for approved vendors to provide hardware specifications
including the firmware update mechanism. You simply need to check that it
uses signed firmware and then verify the claim.
In many ways it is the usual story: "you get what you pay for".
Matej Kovacic: Thank you very much.
|