What if you can't trust your network card?

Authors:
Loïc Duflot;Yves-Alexis Perez;Benjamin Morin
Affiliations:
ANSSI, French Network and Information Security Agency, Paris, France;ANSSI, French Network and Information Security Agency, Paris, France;ANSSI, French Network and Information Security Agency, Paris, France
Venue:
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Year:
2011

Citing 11
Cited 2

Protecting Software Code by Guards

DRM '01 Revised Papers from the ACM CCS-8 Workshop on Security and Privacy in Digital Rights Management
On the effectiveness of address-space randomization

Proceedings of the 11th ACM conference on Computer and communications security
StackGhost: Hardware facilitated stack protection

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Copilot - a coprocessor-based kernel runtime integrity monitor

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
XFI: software guards for system address spaces

OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Control-flow integrity principles, implementations, and applications

ACM Transactions on Information and System Security (TISSEC)
On the difficulty of software-based attestation of embedded devices

Proceedings of the 16th ACM conference on Computer and communications security
Return-oriented programming without returns

Proceedings of the 17th ACM conference on Computer and communications security
SBAP: software-based attestation for peripherals

TRUST'10 Proceedings of the 3rd international conference on Trust and trustworthy computing
HyperCheck: a hardware-assisted integrity monitor

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Control-flow integrity principles, implementations, and applications

ACM Transactions on Information and System Security (TISSEC)

Enabling trusted scheduling in embedded systems

Proceedings of the 28th Annual Computer Security Applications Conference
Understanding DMA malware

DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Quantified Score

Hi-index	0.00

Visualization

Abstract

In the last few years, many different attacks against computing platform targeting hardware or low level firmware have been published. Such attacks are generally quite hard to detect and to defend against as they target components that are out of the scope of the operating system and may not have been taken into account in the security policy enforced on the platform. In this paper, we study the case of remote attacks against network adapters. In our case study, we assume that the target adapter is running a flawed firmware that an attacker may subvert remotely by sending packets on the network to the adapter. We study possible detection techniques and their efficiency. We show that, depending on the architecture of the adapter and the interface provided by the NIC to the host operating system, building an efficient detection framework is possible. We explain the choices we made when designing such a framework that we called NAVIS and give details on our proof of concept implementation.