Dailydave mailing list archives
Re: Whitepaper: Implementing and Detecting a PCI Rootkit
From: Dan Moniz <dnm () pobox com>
Date: Thu, 16 Nov 2006 11:40:21 -0800
On 11/16/06 10:47 AM, "sinan.eren () immunitysec com" <sinan.eren () immunitysec com> wrote:
I should also note that when you have a FPGA based solution, there is no ROM to be investigated for potential malware. You might still hope to detect the subversion in kernel space though, of course that is a bit naive, given that you don't know all the possible hooks one can place.
There should be *some* ROM, if the design is non-volatile, and it would have to be if you plan to have these cards laying around until you pop them in a machine. A PROM serving as platform flash should exist on the board to hold the image for the FPGA to load. Retreiving data from external platform flash PROMs is not all that difficult. If you wanted to get away with no external (outside of the die) memory, you'd have to use CPLDs (closer gate counts to FPGAs) or PALs. Technically there's still non-volatile memory in this case too, but it's on-die. That can raise the barrier significantly compared to FPGA-based designs. Be sure to remove all the JTAG pins and bury your traces in a multi-layer board, and coat the entire thing in expoy and tamper sensitive packaging. If I (the royal "I" in this case, natch) can get to a wire or wires without triggering some self-destruct condition, I can almost certainly recover something. -- Dan Moniz <dnm () pobox com> [http://pobox.com/~dnm/] _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Whitepaper: Implementing and Detecting a PCI Rootkit John Heasman (Nov 16)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit Dave Aitel (Nov 16)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit sinan . eren (Nov 16)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit Dan Moniz (Nov 16)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit Dave Korn (Nov 16)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit Peter Winter-Smith (Nov 17)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit Dave Aitel (Nov 17)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit sinan . eren (Nov 16)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit Paul Wouters (Nov 16)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit Chris Wysopal (Nov 17)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit Dave Aitel (Nov 16)
- <Possible follow-ups>
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit sinan . eren (Nov 17)