[GTALUG] DMA kernel attacks

Russell Reiter rreiter91 at gmail.com
Thu Mar 16 16:41:36 EDT 2017 

<rreiter91 at gmail.com>
Date: Mar 16, 2017 12:49 PM
Subject: Re: [GTALUG] DMA kernel attacks
To: "Lennart Sorensen" <lsorense at csclub.uwaterloo.ca

On Mar 13, 2017 10:50 AM, "Russell Reiter" <rreiter91 at gmail.com> wrote:



On Mar 13, 2017 10:27 AM, "Lennart Sorensen" <lsorense at csclub.uwaterloo.ca>
wrote:

On Sat, Mar 11, 2017 at 01:02:45PM -0500, Russell Reiter via talk wrote:
> Another DEFCON talk. This is a hardware attack on M$, OSX & Linux,
PCIleech
> = 150mbs over usb3.


Sorry, I wasn't clear here. The PCI card goes in the attacking machine. The
steal is over USB. Two tries for the linux box.

>
> https://www.youtube.com/watch?v=fXthwl6ShOg&list=PL9fPq3eQfa
aAvXV3hJc4yHuNxoviVckoE&index=15#t=2508.995164

Well first you have to install your PCIe card in the target machine,
which means you would have to shut it down first, which could make
booting it again difficult.


Ummm ... PCIe is hot plugable with the right software.


I thought initially they found a flaw in USB3, but no that is not
the case.

So it doesn't do anything we didn't already have a problem with in
firewire years ago.  So yes if you get to put your own PCIe hardware in
a machine, you can DMA memory.  And it's a bit faster than a firewire
card was.

The firewire and thunderbolt issues in the past seem much more of a
concern than this because they were hardware already present in the
target machine.  This is pretty much just irrelevant.


Maybe to you. I dont consider increase of transfer rate from 3mbs to 150mbs
irrelevant by any means.

Just because I highlight one bit of information which I gleaned from a
source and wanted to share, as a matter of general interest; this doesent
mean I didn't want you to learn from the post.

I did it because I do want you to learn from it. Like you just now learned
PCIe can be accessed without rebooting.


Among other things.




--
Len Sorensen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20170316/938dcf93/attachment.html>

More information about the talk mailing list