On Fri, 12 Feb 1999, Daniel Quinlan wrote: > Jason Downs <downsjat_private> writes: > > If this host is compromised it's obviously bad news for the filer. > > But now, apparently new with the 5.x revisions of the filer operating > > system, a malicious individual can likely destroy the disk drive > > hardware itself. > > How is this different from any host (Unix, Windows, DOS, network > equipment) that has one or more components with upgradeable firmware? IMHO, having software-upgradeable firmware without having a physical lockout is a very bad idea. A well-labeled physical switch that must be set by hand to upgrade the firmware, and reset for normal operation, would suffice -- it would ensure that upgrading the firmware required physical access to the machine. > I asked NetApp quite a few questions about this before I upgraded our F630 > FC disk firmware -- according to them, it's nearly impossible to turn > disks into expensive bricks. My biggest concern with upgradable firmware is much more severe. If you can "upgrade" the firmware on the disk somebody boots their machine from, you can theoretically do unbelievably devilish things. You can insert arbitrary code into the OS kernel, for example, but only when you boot off that disk; if you boot off a floppy to check the disk with Tripwire or L5, you can give the unmodified kernel. Most disks have plenty of spare space on them -- reserved for remapping bad blocks -- and you would have plenty of space to store whatever malicious code you wanted. You could, for instance, insert nonstandard options into IP headers and use them as a covert channel to alert you of the existence and configuration of infected machines. You could send extra packets during times of heavy traffic. You could insert extra queries into DNS packets -- queries that would ultimately be forwarded to malicious DNS servers. Once you'd found infected machines, you could exert complete control over them. A particularly obnoxious possibility: you could insert "logic bombs" into the disk firmware that would activate only when certain (long and rather improbable, perhaps a few hundred bytes) were read from the disk. Then spam people with a .gif containing that sequence, along with steganographically-encoded machine code. They extract the .gif onto their disk, nicely aligned with the beginning of a sector, and load it up with Netscape. And if your breakin was spotted and the machine reinstalled from scratch, it wouldn't matter. The machine would still be compromised, and there would be no way to tell that it was compromised, since you can't check the firmware with L5. I know these feats would be technically difficult and narrowly applicable, requiring detailed knowledge of particular disk designs and operating systems. But the threat is much more severe than the mere threat of someone breaking into your machine and stealing or deleting your data. Firmware that is flashable without requiring inconvenient physical access really scares me. -- <kragenat_private> Kragen Sitaker <http://www.pobox.com/~kragen/> Computers are the tools of the devil. It is as simple as that. There is no monotheism strong enough that it cannot be shaken by Unix or any Microsoft product. The devil is real. He lives inside C programs. -- philgat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:34:32 PDT