Handle With Linux

In a previous article I discussed several ways to reset/recover/circumvent root password. While the article was written to assist people who have lost or forgotten a root password it was also a statement about security. As I was reading up on the subject I noticed there are some things I didn't know about, as my knowledge of the subject has aged a bit.

Security

While the article was not meant to be about security it certainly touched on it's surface. When it comes to security there's a lot more to say.

First of all there's another way of circumventing the kernel access control. It's called DMA attack this is based on a hardware flaw and if you have a firewire port in your system you have a big chance of being vulnerable to this.

DMA

The DMA attack is based on a "feature" of firewire which gives it direct read/write access to memory.
DMA as most of you probably know is a feature used to speed up access to memory by bypassing the processor, this is needed for instance by graphic cards which do their own processing on data in memory. It's a great enhancement to allow for speedy input/output of data where the main processor is not needed. The firewire protocol allows external devices to directly access memory for read/write operations. This makes it easily possible to change data in system memory using an external device (like a modified ipod for example)

root access

This can give you root access to a running Linux system as long as it has a working firewire port.
You can read more about this specific security flaw as well as methods of mitigating it here (the part about windows is especially amusing)

Implications

The implications related to this particular attack are very big as it even seems to allow reading from real mode bios keyword buffer (containing disk encryption passwords) and therefore allows circumventing disk encryption. Read this article (read the comments). While this security flaw is already pretty dated it seems like it's also still pretty valid.

Cold boot

The next thing I learned about is the cold boot attack. While I used to think memory would be empty as power was taken of the system, it seems this is not entirely true.

Here's a wikipedia article about that. The data in memory is readable for seconds up to minutes after shutdown and this can be prolonged to hours by freezing the memory modules. If you have the possibility to take out the memory module or boot the system from usb, you can save the contents of memory and analyze it for cryptographic keys and the like.
Of course if you can boot a system from usb you are in already, but this also allows for circumventing encrytped disk systems.

Is there more I need to know? Do you know more ways of gaining access I (and others) should know about to protect my systems? Please leave a comment. It can take a while before comments get published (other time zone)