Re: Security problems with Dell Latitude C800 Notebook BIOSes

From: Raymond M. Reskusich (reskusicat_private)
Date: Tue Aug 14 2001 - 11:56:43 PDT

Next message: Joseph Mallett: "Re: long url overflow in IE6 public preview on WinME"

Previous message: Bernhard Rosenkraenzer: "Security problems with Dell Latitude C800 Notebook BIOSes"
Maybe in reply to: Bernhard Rosenkraenzer: "Security problems with Dell Latitude C800 Notebook BIOSes"
Next in thread: Andrea Arcangeli: "Re: Security problems with Dell Latitude C800 Notebook BIOSes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Aug 14, 2001 at 05:28:36PM +0200, Bernhard Rosenkraenzer wrote:
...
> When using suspend to disk, the Latitude BIOS dumps the system status to
> the suspend to disk partition and prepends an OS loader code, and toggles
> the active bit on the suspend to disk partition.
...
> This is VERY dangerous though - it allows things like suspending a
> session, then booting the normal OS (or something else from a floppy or
> CD-ROM - the BIOS does nothing to ensure the stored session is actually
> recovered), doing something completely different including modifying disk
> content, reading all content (passwords and confidential data) from the
> suspend-to-disk partition), then restoring the session that was
> suspended before. The result of this can be anything and will almost
> certainly lead to data loss.

Well, inasmuch as this is a security flaw one would imagine that the
"hibernate" functionality in Windows 2000 is about equally unsafe.
However, considering the usual risks involved in letting anyone with
a floppy boot to it on your machine, this isn't really a surprise.

I think to call this a BIOS flaw misses the point.  Dell is adding
to the functionality of the expected PC BIOS with a minimum of
disruption to existing functionality.  There is no reason, for
instance, for Dell to tell me that because I chose to suspend my
Windows session that I shouldn't be able to boot Linux before resuming
it.  Admittedly, the reliance on the active flag will play havoc with
some boot loaders unless you add the suspend partition to your boot
menu, but linux users are used to such inconveniences.  

If you want the boot to be limited to the suspend session, disable
floppy and cdrom boot, don't install a 3rd party boot loader, and
you're good.  Even better, put in a boot password.  But any scheme
where you write out a system memory image to disk unencrypted, you'll
still be vulnerable to anyone with physical access to the system.
Nothing stops the prospective data thief from popping your HD out that
convenient side panel and reading it in his laptop.

Raymond M. Reskusich

application/pgp-signature attachment: stored

Next message: Joseph Mallett: "Re: long url overflow in IE6 public preview on WinME"
Previous message: Bernhard Rosenkraenzer: "Security problems with Dell Latitude C800 Notebook BIOSes"
Maybe in reply to: Bernhard Rosenkraenzer: "Security problems with Dell Latitude C800 Notebook BIOSes"
Next in thread: Andrea Arcangeli: "Re: Security problems with Dell Latitude C800 Notebook BIOSes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 12:48:25 PDT