Targeting Physically Addressable Memory

Authors:
David R. Piegdon;Lexi Pimenidis
Affiliations:
Aachen University of Technology, Computer Science Department Informatik IV, Ahornstr. 55, D-52074 Aachen, Germany;Aachen University of Technology, Computer Science Department Informatik IV, Ahornstr. 55, D-52074 Aachen, Germany
Venue:
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Year:
2007

Citing 8
Cited 2

An introduction to Kolmogorov complexity and its applications (2nd ed.)

An introduction to Kolmogorov complexity and its applications (2nd ed.)
FireWire system architecture (2nd ed.): IEEE 1394a

FireWire system architecture (2nd ed.): IEEE 1394a
Handbook of Applied Cryptography

Handbook of Applied Cryptography
Network Security with Openssl

Network Security with Openssl
Playing "Hide and Seek" with Stored Keys

FC '99 Proceedings of the Third International Conference on Financial Cryptography
Analyzing worms and network traffic using compression

Journal of Computer Security
The similarity metric

IEEE Transactions on Information Theory
Clustering by compression

IEEE Transactions on Information Theory

A survey of main memory acquisition and analysis techniques for the windows operating system

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Mutual remote attestation: enabling system cloning for TPM based platforms

STM'11 Proceedings of the 7th international conference on Security and Trust Management

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper introduces new advances in gaining unauthorised access to a computer by accessing its physical memory via various means. We will show a unified approach for using IEEE1394, also known as firewire, file descriptors and other methods to read from and write into a victim's memory. Thereafter we will show the power of this ability in several example attacks: stealing private SSH keys, and injecting arbitrary code in order to obtain interactive access with administrator privileges on the victim's computer.These advances are based on data structures that are required by the CPU to provide virtual address spaces for each process running on the system. These data structures are searched and parsed in order to reassemble pages scattered in physical memory, thus being able to read and write in each processes virtual address space.The attacks introduced in this paper are adaptable to all kinds of operating system and hardware combinations. As a sample target, we have chosen Linux on an IA-32 system with the kernel-options CONFIG_NOHIGH MEMor CONFIG_HIGHMEM4G, CONFIG_VMSPLIT_3Gand CONFIG_PAGE_OFFSET= 0xC0000000.