Hello!
I don't know if you guys already know, there is a possible security risk with
all modern desktop-pcs and ata hard drives. In short:
Modern ata drives can be locked by password. This lock could be set by a
malicous software. This security feature can be frozen, so no programs can
set a lock until the next reboot. Ususally, the BIOS should take care of
locking the security feature, but most desktop BIOSes (unlike laptop BIOSes)
fail to do so. Once a lock is set and the password is unknown, the drive is
trash.
See http://www.heise.de/ct/english/05/08/172/ for more details.
In the above article, a patched hdparm is used to freeze the drive's security
features. This can be used during boot to prevent programs from setting a
password. However, a malicous program could infect the computer and install
itself in the boot sequence prior to the execution of hdparm...
I figured there could be a kernel compiled-in option that will make the kernel
lock all drives found during bootup. then, a malicous program would need to
install a different kernel in order to harm the drive, which would be much
more secure.
What do you think of this?
Regards,
Jonas
PS: Please CC me in replies, I am not subscribed to the list.
Jonas Diemer <[email protected]> said:
[...]
> I figured there could be a kernel compiled-in option that will make the
> kernel lock all drives found during bootup. then, a malicous program
> would need to install a different kernel in order to harm the drive,
> which would be much more secure.
Doing it in initrd should be plenty of time, no need to involve the kernel.
--
Dr. Horst H. von Brand User #22616 counter.li.org
Departamento de Informatica Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria +56 32 654239
Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513
* Jonas Diemer:
> What do you think of this?
I think that these days, the underlying assumption (software cannot
destroy hardware, and if it can, we have a problem) is simply no
longer valid.
Horst von Brand wrote:
> Doing it in initrd should be plenty of time, no need to involve the kernel.
Not everyone uses an initrd.
Chris
Horst von Brand wrote:
> Jonas Diemer <[email protected]> said:
>
> [...]
>
>
>>I figured there could be a kernel compiled-in option that will make the
>>kernel lock all drives found during bootup. then, a malicous program
>>would need to install a different kernel in order to harm the drive,
>>which would be much more secure.
>
>
> Doing it in initrd should be plenty of time, no need to involve the kernel.
Technically, according to the article, the only safe time to do it is in the BIOS or in one of their special safe CDs that freezes the drive before the boot loader loads. This makes sense because a particularly malicious place to put something like this is a worm that attaches to your boot loader. Then, even doing it in the kernel at boot time is too late.
--Vernon
Am Dienstag 05. April 2005 17:41 schrieb Vernon Mauery:
> ?This makes sense because a particularly malicious
> place to put something like this is a worm that attaches to your boot
> loader. ?Then, even doing it in the kernel at boot time is too late.
I understand... Didn't know that worms could attach to the bootloader :-)
Well, then even fixing this in the bootloader would be too late, if the worm
could simply replace the bootloader. I guess it's not a kernel-issue then and
should really be addressed in the boot-up sequence (as long as BIOS vendors
fail to fix it), be it with or without initrd.
regards,
Jonas
PS: Still not in list, so please CC me on eventual replies.
On Llu, 2005-04-04 at 18:42, Jonas Diemer wrote:
> I figured there could be a kernel compiled-in option that will make the kernel
> lock all drives found during bootup. then, a malicous program would need to
> install a different kernel in order to harm the drive, which would be much
> more secure.
It makes little difference as the attacker can replace the kernel and
reboot.
Anyway they can flash erase your video card bios, your IDE firmware,
your BIOS
and far more just as easily.
I wrote an analysis for the UK government a few years back about this
threat and concluded that a sufficiently malicious attacker and a
suitable hole would allow someone to wipe out large numbers of PCs on a
fairly permanent basis. We can just be glad that the folks writing stuff
like slammer mostly want either fame or are operating "commercially" (ie
DoS protection rackets, spam etc) so don't wish to kill their hosts.
>From an OS perspective it is very hard to protect against. Locking the
boot media can help providing the BIOS settings cannot be used to boot
another disk. Dropping CAP_SYS_RAWIO early in boot will protect against
most of the potential root user directly accesses the hardware type
attacks. hdparm can help but really it needs to be in the BIOS options
to make much difference so kick your pet BIOS vendor/PC maker.
Alan
Hi Alan!
Thanks for the info
Am Montag 11. April 2005 17:36 schrieb Alan Cox:
> It makes little difference as the attacker can replace the kernel and
> reboot.
> Anyway they can flash erase your video card bios, your IDE firmware,
> your BIOS
> and far more just as easily.
Yes, but a new video-card or Motherboard can be easily bought (although it
costs), but the data on a locked disk is lost forever, unless you pay for
professional recovery (which is also a time-issue, if time critical data is
stored on the disk). Of course, this can be solved with a good backup
strategy...
I agree with you though, that this really isn't a kernel issue, but a BIOS
thing. Distributors should/could provide additional security by freezing the
security-features early during boot, until BIOS vendors do their homework.
regards,
Jonas
PS: Still not on the list, so please CC me in an eventual reply.
hdparm-6.0 is currently winding through release channels,
and includes support for freezing/managing the security status.
Cheers
On Llu, 2005-04-11 at 17:01, Jonas Diemer wrote:
> Yes, but a new video-card or Motherboard can be easily bought (although it
> costs), but the data on a locked disk is lost forever, unless you pay for
> professional recovery (which is also a time-issue, if time critical data is
> stored on the disk). Of course, this can be solved with a good backup
> strategy...
It still causes great inconvenience I agree.
> I agree with you though, that this really isn't a kernel issue, but a BIOS
> thing. Distributors should/could provide additional security by freezing the
> security-features early during boot, until BIOS vendors do their homework.
Its really for Jeff and Bartlomiej to call but I'd certainly not be
opposed to freezing the security state in the kernel at boot by default.
Alan