Computer Magazines - FCC Worries That iPad Will Clog the Internet

by  Chloe Albanesius
Will Apple's new iPad tablet create network mayhem? Two Federal Communications Commission officials have some concerns, and are likening the possible logjam to traffic issues that confronted AOL in the 1990s.

"Apple's iPad announcement has set off a new round of reports of networks unburdened by a data flow they were not built to handle," Phil Bellaria, director of scenario planning for broadband, and John Leibovitz, deputy chief of the FCC's wireless telecom bureau, wrote in a Monday blog post. "These problems are reminiscent of the congestion dialup users experienced following AOL's 1996 decision to allow unlimited Internet use."

The increased use of smartphones, 3G netbooks, and in the coming months, the iPad "demonstrate that wireless broadband will be a hugely important part of the broadband ecosystem as we move ahead," they wrote.

AOL solved its problem by upgrading modems and servers, and wireless providers can do the same, but only if they have adequate spectrum, Bellaria and Leibovitz wrote.

The national broadband plan currently in the works at the FCC "will suggest ways of moving more spectrum into high value uses, such as broadband access, to help ensure that we don't get stuck in 1997 dialup-style congestion," they said.

"With the iPad pointing to even greater demand for mobile broadband on the horizon, we must ensure that network congestion doesn't choke off a service that consumers clearly find so appealing or frustrate mobile broadband's ability to keep us competitive in the global broadband economy," the duo concluded.

The stimulus package passed in early 2009 ordered the FCC to deliver a national broadband plan to Congress by February 2010. The commission was recently granted a two-month extension after the commission said it needed more time to sort through submitted comments and information gathered at public hearings.

Network card

Network card

Webcam

---

Description

---

Webcams (web cameras) are small cameras (usually, though not always, video cameras), whose images can be accessed using the World Wide Web, instant messaging, or a PC video conferencing application. The term webcam is also used to describe the low-resolution digital video cameras designed for such purposes, but which can also be used to record in a non-real-time fashion.

Web-accessible cameras involve a digital camera which uploads images to a web server, either continuously or at regular intervals. This may be achieved by a camera attached to a PC, or by dedicated hardware. Videoconferencing cameras typically take the form of a small camera connected directly to a PC. Analog cameras are also sometimes used (often of the sort used for closed-circuit television), connected to a video capture card and then directly or indirectly to the internet.

---

Comunication on PC with webcam

CES 2010: AOC

Older readers haw advert a television maker titled Admiral. It was started 43 years past as Admiral Overseas Corporation in Taiwan, but has evolved through time. It switched wholly to monitor production in the 1980s, but reintroduced televisions to its roster in 2005. While AOC is not quite a household study these days, it’s rattling likely that most readers have used a device manufactured by AOC’s manufacturer. AOC is the brand of the factory, TPV Technology Limited, the largest display manufacturer in the world. AOC’s products are available in several stores, including RadioShack, K-Mart, Sears, Costco, Staples, and more. AOC showed many products at CES this year, including newborn machine displays, newborn televisions, and a distinction of all-in-one PCs.

Computer Monitors
AOC launched three newborn major program of monitors this assemblage at CES: the 36, 40, and 37 series. The out-of-order numbering for the creation ranges is unintentional; each number indicates a unique set of selling points of the series. The 36 program is entry level, and can be LCD or LED. Most of AOC’s offerings these life are LED, so the LCD is a real cost saver patch sacrificing quality. The 40 program is at the mainsteam level, and has paint finish with an etching on the backwards of the unit.

The 37 program is the high-end series, with 22″ and 24″ models. Both are flooded 1080p with HDMI and feature a floating frame design with a desk light. The desk reddened can be dimmed or shut off using the on-screen display (OSD).

Computer fan

Description

A computer fan can be any fan inside a computer case used for cooling purposes, and may refer to fans that draw cooler air into the case from the outside, expel warm air from inside, or move air across a heatsink to cool a particular component. The use of fans and/or other hardware to cool a computer is sometimes referred to as active cooling.

---

Intel Desktop Board D5400XS

Features and benefits
Form Factor

Extended ATX (eATX) (12.00 inches by 13 inches [304.80 millimeters by 330.2 millimeters])
Processor

* Support for 45nm Intel® Core™2 Extreme processors in an LGA771 socket with a 1600 MHz system bus
* Support for both 45nm & 65nm Intel® Xeon® processors in an LGA771 socket with a 1600, 1333, or 1066 MHz system bus

Memory

* Four Fully Buffered DIMM (FBDIMM) DDR2 Module sockets
* Support for FBDIMM DDR2 800MHz, 667 MHz, DIMMs
* Support for up to 8 GB of system memory
* Support for ECC and non-ECC memory

Chipset Intel® 5400 Express Chipset
Audio

Intel® High Definition Audio subsystem in the following configuration:

* 8-channel (7.1) Dolby Home Theater Audio subsystem with five analog audio outputs and two S/PDIF digital audio outputs (coaxial and optical)

Nvidia SLI* and ATI CrossFire* multi-GPU platform support

Nvidia SLI and ATI CrossFire technology enables two graphics cards to work together for ultimate 3D gaming performance and visual quality
I/O Control Legacy I/O controller for diskette drive, serial header, and PS/2 ports
LAN support

Gigabit (10/100/1000 Mbits/sec) LAN subsystem
Peripheral interfaces

* 10 USB 2.0 ports (6 external ports, 2 internal headers)
* Six Serial ATA 3.0 Gb/s ports, including 2 eSATA port with RAID support supplied by a Marvell* controller
* Two IEEE-1394a ports (1 external port, 1 internal header)
* Consumer IR receiver and emitter (via internal headers)
* One Parallel ATA IDE interface with UDMA 33, ATA-66/100 support (2 devices supported)

Expansion capabilities

* Two PCI Conventional* bus add-in card connectors (SMBus routed to both PCI Conventional bus add-in card connectors)
* Four primary PCI Express* 1.1 x16 (electrical x16) bus add-in card connector

Microsoft Windows Vista Premium* Ready

With a PC built with Intel® processors and an Intel® Desktop Board, you can experience a more responsive and manageable environment of Microsoft Windows Vista including a new visual sophistication of the Microsoft Windows Aero* interface.
Related products
Processors

* Intel® Core™2 Extreme processor
* Intel® Xeon® processor

Chipsets

* Intel® 5400 Express Chipset

Computer element is the physical part

Computer element is the physical part of a computer, including the digital circuitry, as important from the computer code that executes within the hardware. The element of a computer is infrequently changed, in comparison with code and element data, which are \"soft\" in the significance that they are pronto created, modified or erased on the computer. Firmware is a special type of code that rarely, if ever, needs to be changed and so is stored on element devices such as read-only memory (ROM) where it is not pronto changed (and is, therefore, \"firm\" rather than just \"soft\").

MSI N9800GTX-T2D512

---

Specifications

---

Core/Memory

675 MHz Core

512MB GDDR3 2200 MHz Memory


GeForce® 9800 GTX graphics game streaming on NVIDIA nForce® 7 program Motherboards Unlock Next Generation Platform Features

- Three GeForce® 9800 GTX graphics game streaming in 3-way NVIDIA SLI® fashion on the new NVIDIA nForce® 780i and 790i motherboards enable up to 2.8x performance increase over a single GPU for the eventual recreation upgrade.

- NVIDIA HybridPower™HybridPower™ profession delivers graphics performance when you requirement it and low-power operation when you don’t. HybridPower profession lets you switch from your GeForce 9800 GTX graphics bill to your motherboard GeForce GPU when streaming less graphically-intensive applications for a silent, low power PC experience.

- The GeForce 9800 GTX graphics bill is fashioned for the new PCI Express 2.0 bus structure featured in nForce 7 program motherboards substance the highest accumulation designate speeds for the most bandwidth-hungry games and 3D applications.

- The new ESA-enabled NVIDIA curb commission provides a state-of-the-art programme for performance tuning and monitoring of your GeForce 9800 GTX graphics game on nForce platforms.


Geforce 9800GTX Chipset Features


*NVIDIA unified architecture

*Full Microsoft DirectX 10 Support

*PCI Express 2.0 Support

*Giga Thread Technology

*NVIDIA Quantum Effects Technology

*Edge Enhancement

*Noise Reduction

*NVIDIA ForceWare unified Driver Architecture (UDA)

*128-bit floating point High Dynamic-Range (HDR) Lighting

*16x Anti-aliasing Technology

*OpenGL 2.1 Optimizations and Support

*Dual 400MHz RAMDACs

*Dual Dual-link DVI Support

*NVIDIA PureVideo HD Technology

*Discrete, Programmable Video Processor

*Dual-stream Hardware Acceleration

*Dynamic Contrast Enhancement & Color Stretch

*HDCP Capable

*Advanced Spatial-Temporal De-Interlacing

*Hardware Decode Acceleration

*High-Quality Scaling

*Bad Edit Correction

*NVIDIA Lumenex Engine

*Inverse Telecine (3:2 & 2:2 Pulldown Correction)


Video Output Function

*Dual-link DVI-I x 2

*TV-Out x1(via S-Video to Composite)

*HDTV-out

*VGA (via DVI to D-Sub adaptor)

*HDMI (DVI to HDMI adaptor)

 

 

Attacking SMM Memory via Intel® CPU Cache Poisoning

As promised, the paper and the proof of concept code has just been posted on the ITL website .

A quote from the paper:

In this paper we have described practical exploitation of the CPU cache poisoning in order to read or write into (otherwise protected) SMRAM memory. We have implemented two working exploits: one for dumping the content of SMRAM and the other one for arbitrary code execution in SMRAM. This is the third attack on SMM memory our team has found within the last 10 months, affecting Intel-based systems. It seems that current state of firmware security, even in case of such reputable vendors as Intel, is quite unsatisfying.

The potential consequence of attacks on SMM might include SMM rootkits [9], hypervisor compromises [8], or OS kernel protection bypassing [2].

Don't worry, the shellcode we use in the exploit is totally harmless (have really no idea how some people concluded we were going to release an SMM rootkit today?) — it only increases an internal counter on every SMI and jumps back to the original handler. If you want something more fancy, AKA SMM rootkits, you might want to re-read Sherri's and Shawn's last year's Black Hat paper and try writing something they describe there.

The attack presented in the paper has been fixed on some systems according to Intel. We have however found out that even the relatively new boards, like e.g. Intel DQ35 are still vulnerable (the very recent Intel DQ45 doesn't seem to be vulnerable though). The exploit attached is for DQ35 board — the offsets would have to be changed to work on other boards (please do not ask how to do this).

Keep in mind this is a different SMM attack than the one we mentioned during our last month's Black Hat presentation on TXT bypassing (the VU#127284). We are planning to present that other attack at the upcoming Black Hat Vegas. Hopefully this will not be the only one thing that ITL will entertain you with in Vegas — Alex and Rafal are already working now on something even cooler (and even lower level) for the show, so cross your fingers!

And good luck to Loic with his presentation that is about to start just now...

Independent Attack Discoveries

Next week's Thursday, March 19th, 1600 UTC, we will publish a paper (+ exploits) on exploiting Intel® CPU cache mechanisms.

The attack allows for privilege escalation from Ring 0 to the SMM on many recent motherboards with Intel CPUs. Interestingly, the very same attack will be presented by another researcher, Loic Duflot, at the CanSecWest conference in Vancouver, Canada, on... Thursday 19th, 1600 UTC. BTW, this is a different SMM-targeting attack than the one we mentioned during our recent TXT talk and that is scheduled to be presented later this year.

Here's the full story (there is also a moral at the end) …

Just after our presentation at the Black Hat last month, we (i.e. Rafal and I) have been independently approached by some person (or two different persons — we haven't figured that out actually — there were some ca. 30 people willing to ask us questions after the talk, so it's hard to remember all the faces), who was very curious about our SMM attacks (whose details we haven't discussed, of course, because Intel is still working on a fix). This person(s) started asking various questions about the attacks and one of the questions, that was asked to both me and Rafal, was if the attack used caching. Later that day, during a private ITL dinner, one of us brought this issue, and we started thinking if it was indeed possible to perform an SMM attack via CPU caching. By the end of the dinner we have sketched out the attack, and later when we got back to Poland, Rafal implemented a working exploit with code execution in SMM in a matter of just a few hours. (I think I used way too many parenthesis in this paragraph).

So, being the good and responsible guys that we are, we immediately reported the new bug to Intel (actually talking to Intel's PSIRT is getting more and more routined for us in the recent months ;). And this is how we learnt that Loic came up with the same attack (back then there was no talk description at the conference website) — apparently he approached Intel about this back in October 2008, so 3-4 months before us — and also that he's planning to present it at the CanSecWest conference in March. So, we contacted Loic and agreed to do coordinated disclosure next Thursday.

Interestingly, however, none of us was even close to being the first discoverer of the underlying problem that our attacks exploit. In fact, the first mention of the possible attack using caching for compromising SMM has been discussed in certain documents authored as early as the end of 2005 (!) by nobody else than... Intel's own employees. Stay tuned for the details in our upcoming paper.

Conclusion

If there is a bug somewhere and if it stays unpatched for enough time, it is almost guaranteed that various people will (re)discover and exploit it, sooner or later. So, don't blame researchers that they find and publish information about bugs — they actually do a favor to our society. Remember the guy who asked us if our attack used caching? I bet he (or his associates) also have had exploits for this caching bug, but apparently didn't notify the vendor. Hmm, what they might have been doing with the exploit? When was the last time you scanned your system for SMM rootkits? ;)

Anyways, congrats to Loic for being the first one who wrote exploits for this bug. Also congrats to Intel employees who originally noticed the problem back in 2005.

Thoughts About Trusted Computing

Here are the slides about Trusted Computing I used for my presentations at the EuSecWest today, and at the Confidence conference last week.

As this was supposed to be a keynote, the slides are much less technical then our other slides, and also there are no new attacks presented there. Still, I hope they might be useful as some sort of an "alternative" introduction to Trusted Computing :)

A cool presentation I saw today was about PCI-based backdoors by Christophe Devine and Guillaume Vissian. They basically took a general-purpose FPGA programmable PC-card (AKA PCMCIA), flashed it with an FPGA "program" that implemented a simple state machine. The purpose of the state machine was to wait until its DMA engine gets initialized and then to modify certain bytes in the host memory, that happened to be part of the winlogon.exe process (IIRC they changed XOR AL, AL into MOV AL, 1, or something like that, at the end of some password verification function inside the winlogon.exe process). The slides should be available soon on the conference website. I also hope they will publish all the source code needed to flash your own personal "winlogon unlocker".

The live demo was really impressive — they showed a winlogon screen, tried to login a few times with wrong passwords, of course all the attempts failed, then they inserted their magic, $300 worth, PC-card, and… 2 seconds later they could log in using any password they wanted.

While not necessary being a breakthrough, as everybody has known such things could be done for years, I think it is still important that somebody eventually implemented this, discussed the technical details (FPGA-related), and also showed how to implement it with a cheap generic "reflashable" hardware without using a soldering iron.

Of course I have also discussed in my presentation how to prevent PCI-based backdoors (like the one discussed here) using VT-d, but this defense is currently only available if you use Xen 3.3 or later, and also requires that you manually create driver domain partitions and come up with a reasonable scheme for assigning devices to driver domains. All in all 99.9% of users are not (and will not be anytime soon) protected against such attacks. Oh, wait, there is actually a relatively simple software-based workaround (besides putting a glue into your PC-card slot, which is not a very subtle one)… I wonder who else will find out :)

More Thoughts on CPU backdoors

I've recently exchanged a few emails with Loic Duflot about CPU-based backdoors. It turned out that he recently wrote a paper about hypothetical CPU-backdoors and also implemented some proof-of-concept ones using QEMU (for he doesn't happen to own a private CPU production line). The paper can be bought . (Loic is an academic, and so he must follow some of the strange customs in the academic world, one of them being that papers are not freely published, but rather being sold on a publisher website… Heck, even we, the ultimately commercialized researchers, still publish our papers and code for free).

Let me stress that what Loic writes about in the paper are only hypothetical backdoors, i.e. no actual backdoors have been found on any real CPU (ever, AFAIK!). What he does is he considers how Intel or AMD could implement a backdoor, and then he simulate this process by using QEMU and implementing those backdoors inside QEMU.

Loic also focuses on local privilege escalation backdoors only. You should however not underestimate a good local privilege escalation — such things could be used to break out of any virtual machine, like VMWare, or potentially even out of a software VMs like e.g. Java VM.

The backdoors Loic considers are somewhat similar in principle to the simple pseudo-code one-liner backdoor I used in my previous post about hardware backdoors, only more complicated in the actual implementation, as he took care about a few important details, that I naturally didn't concern. (BTW, the main message of my previous post about was how cool technology this VT-d is, being able to prevent PCI-based backdoors, and not about how doomed we are because of Intel- or AMD-induced potential backdoors).

Some people believe that processor backdoors do not exist in reality, because if they did, the competing CPU makers would be able to find them in each others' products, and later would likely cause a "leak" to the public about such backdoors (think: Black PR). Here people make an assumption that AMD or Intel is technically capable of reversing each others processors, which seems to be a natural consequence of them being able to produce them.

I don't think I fully agree with such an assumption though. Just the fact that you are capable of designing and producing a CPU, doesn't mean you can also reverse engineer it. Just the fact that Adobe can write a few hundred megabyte application, doesn't mean they are automatically capable of also reverse engineering similar applications of that size. Even if we assumed that it is technically feasible to use some electron microscope to scan and map all the electronic elements from the processor, there is still a problem of interpreting of how all those hundreds of millions of transistors actually work.

Anyway, a few more thoughts about properties of a hypothetical backdoors that Intel or AMD might use (be using).

First, I think that in such a backdoor scenario everything besides the "trigger" would be encrypted. The trigger is something that you must execute first, in order to activate the backdoor (e.g. the CMP instruction with particular, i.e. magic, values of some registers, say EAX, EBX, ECX, EDX). Only then the backdoor gets activated and e.g. the processor auto-magically escalates into Ring 0. Loic considers this in more detail in his paper. So, my point is that all the attacker's code that executes afterwards, think of it as of a shellcode for the backdoor, that is specific for the OS, is fetched by the processor in an encrypted form and decrypted only internally inside the CPU. That should be trivial to implement, while at the same time should complicate any potential forensic analysis afterwards — it would be highly non-trivial to understand what the backdoor actually have done.

Another crucial thing for a processor backdoor, I think, should be some sort of an anti-reply attack protection. Normally, if a smart admin had been recording all the network traffic, and also all the executables that ever got executed on the host, chances are that he or she would catch the triggering code and the shellcode (which might be encrypted, but still). So, no matter how subtle the trigger is, it is still quite possible that a curious admin will eventually find out that some tetris.exe somehow managed to breakout of a hardware VM and did something strange, e.g. installed a rootkit in a hypervisor (or some Java code somehow was able to send over all our DOCX files from our home directory).

Eventually the curious admin will find out that strange CPU instruction (the trigger) after which all the strange things had happened. Now, if the admin was able to take this code and replicate it, post it to Daily Dave, then, assuming his message would pass through the Moderator (Hi Dave), he would effectively compromise the processor vendor's reputation.

An anti-replay mechanism could ideally be some sort of a challenge-response protocol used in a trigger. So, instead having you always to put 0xdeadbeaf, 0xbabecafe, and 0x41414141 into EAX, EBX and EDX and execute some magic instruction (say CMP), you would have to put a magic that is a result of some crypto operation, taking current date and magic key as input:

Magic = MAGIC (Date, IntelSecretKey).

The obvious problem is how the processor can obtain current date? It would have to talk to the south-bridge at best, which is 1) nontrivial, and 2) observable on a bus, and 3) spoof'able.

A much better idea would be to equip a processor with some sort of an eeprom memory, say big enough to hold one 64-bit or maybe 128-bit value. Each processor would get a different value flashed there when leaving the factory. Now, in order to trigger the backdoor, the processor vendor (or backdoor operator, think: NSA) would have to do the following:

1) First execute some code that would read this unique value stored in eeprom for the particular target processor, and send this back to them,

2) Now, they could generate the actual magic for the trigger:

Magic = MAGIC (UniqeValueInEeprom, IntelSecretKey)

3) ...and send the actual code to execute the backdoor and shellcode, with the correct trigger embedded, based on the magic value.

Now, the point is that the processor will automatically increment the unique number stored in the eeprom, so the same backdoor-exploiting code would not work twice for the same processor (while at the same time it would be easy for NSA to send another exploit, as they know what the next value in the eeprom should be). Also, such a customized exploit would not work on any other CPU, as the assumption was that each CPU gets a different value at the factory, so again it would not be possible to replicate the attack and proved that the particular code has ever done something wrong.

So, the moment I learn that processors have built-in eeprom memory, I will start thinking seriously there are backdoors out there :)

One thing that bothers me with all those divagations about hypothetical backdoors in processors is that I find them pretty useless in at the end of the day. After all, by talking about those backdoors, and how they might be created, we do not make it any easier to protect against them, as there simply is no possible defense here. Also this doesn't make it any easier for us to build such backdoors (if we wanted to become the bad guys for a change). It might only be of an interest to Intel or AMD, or whatever else processor maker, but I somewhat feel they have already spent much more time thinking about it, and chances are they probably can only laugh at what we are saying here, seeing how unsophisticated our proposed backdoors are. So, my Dear Reader, I think you've been just wasting time reading this post ;) Sorry for tricking you into this and I hope to write something more practical next time :)

Trusting Hardware

So, you're a decent paranoid person, running only open source software on your box: Linux, GNU, etc. You have the feeling you could, if you only wanted to, review every single line of code (of course you will probably never do this, but anyway). You might be even more paranoid and also try running an open source BIOS. You feel satisfied and cannot understand all those stupid people running closed source systems like e.g. Windows. Right?

But here's where you are stuck — you still must trust your hardware. Trust that your hardware vendor has not e.g. built in a backdoor into your network card micro-controller…

So, if we buy a laptop from vendor X, that might be based in some not-fully-democratic country, how do we know they didn't put backdoors there? And not only to spy on Americans, also to spy on their own citizens? When was the last time you reverse-engineered all the PCI devices on your motherboard?

Scared? Good!

Enters the game-changer: IOMMU (known as VT-d on Intel). With proper OS/VMM design, this technology can address the very problem of most of the hardware backdoors. A good example of a practical system that allows for that is Xen 3.3, which supports VT-d and allows you to move drivers into a separate, unprivileged driver domain(s). This way each PCI device can be limited to DMA only to the memory region occupied by its own driver.

The network card's microcontroller can still compromise the network card driver, but nothing else. Assuming we are using only encrypted communication, there is not much an attacker can gain by compromising this network card driver, besides doing a DoS. Similarly for the disk driver — if we use full disk encryption (which is a good idea anyway), there is not much an attacker can gain from compromising the low-level disk driver.

Obviously the design of such a system (especially used for desktop computing) is not trivial ans needs to be thoroughly thought out. But it is possible today(!), thanks to those new virtualization technologies.

It seems than, that we could protect ourselves against potentially malicious hardware. With one exception however… we still need to trust the CPU and also the memory controller (AKA northbridge AKA chipset), that implements that IOMMU.

On AMD systems, the memory controller has long been integrated into the processor. Also Intel's recent Nehalem processors integrate the memory controller on the same die.

This all means we need to trust only one vendor (Intel or AMD) and only one component, i.e. The Processor. But should we blindly trust them? After all it would be trivial for Intel or AMD to build in a backdoor into their processor. Even something as simple as:

if (rax == MAGIC_1 && rcx == MAGIC_2) jmp [rbx]

Just a few more gates in the CPU I guess (there are apparently already about 780 million gates on Core i7, so a few more should not make much difference), and no performance penalty. Exploitable remotely on most systems and any more complex program I guess. Yet, totally undetectable for anybody without an electron microscope (and tons of skills and knowledge).

And this is just the simplest example that comes to mind within just a few minutes. I'm sure one could come up with something even more universal and reliable. The fact is — if you are the CPU vendor, it is trivial for you to build in an effective backdoor.

It's funny how various people, e.g. European government institutions, are afraid of using closed source software, e.g. Windows, because they are afraid of Microsoft putting backdoors there. Yet, they are not concerned about using processors made by some other US companies. It is significantly more risky for Microsoft to put a backdoor into its software, where even a skilled teenager equipped with IDA Pro can find it, than it is for Intel or AMD, where effectively nobody can find it.

So, I wonder whether various government and large corporate customers from outside the US will start asking Intel and AMD to provide them with the exact blueprints of their processors. After all they already require Microsoft to provide them with the source code under an NDA, right? So, why not the "source code" for the processor?

Unfortunately there is nothing that could stop a processor vendor to provide its customers with a different blueprints than those that are used to actually "burn" the processors. So, the additional requirement would be needed that they also allow to audit their manufacturing process. Another solution would be to hire some group of independent researchers, equip them with an electron microscope and let them reverse engineer some randomly chosen processors… Hmmm, I even know a team that would love to do that ;)

A quick summary in case you get lost already:

1. On most systems we are not protected against hardware backdoors, e.g. in the network card controller.
2. New technologies, e.g. Intel VT-d, can allow to protect against potentially malicious hardware (requires specially designed OS, e.g. specially configured Xen)…
3. … except for the potential backdoors in the processor.
4. If we don't trust Microsoft, why should we trust Intel or AMD?

BTW, in May I will be speaking at the Confidence conference in Krakow, Poland. This is gonna be a keynote, so don't expect new attacks to be revealed, but rather some more philosophical stuff about trusted computing (why it is not evil) and problems like the one discussed today. See you there!

DDR2 SDRAM

---

DDR2 SDRAM is a double data rate synchronous dynamic random access memory interface. It supersedes the original DDR SDRAM specification and the two are not compatible. In addition to double pumping the data bus as in DDR SDRAM, (transferring data on the rising and falling edges of the bus clock signal), DDR2 employs an I/O buffer between the memory and the data bus so that the data bus can be run at the twice the speed of the memory clock. The two factors combine to achieve a total of 4 data transfers per memory clock cycle.

With data being transferred 64 bits at a time, DDR2 SDRAM gives a transfer rate of (memory clock rate) × 2 (for bus clock multiplier) × 2 (for dual rate) × 64 (number of bits transferred) / 8 (number of bits/byte). Thus with a memory clock frequency of 100 MHz, DDR2 SDRAM gives a maximum transfer rate of 3200 MB/s.

Since the memory clock runs at half the external data bus clock rate, DDR2 memory operating at the same external data bus clock rate as DDR will provide the same bandwidth but with higher latency, resulting in inferior performance. Alternatively, DDR2 memory operating at twice the external data bus clock rate as DDR may provide twice the bandwidth with the same latency (in nanoseconds). The best-rated DDR2 memory modules are at least twice as fast as the best-rated DDR memory modules.

ATX MidTower Computer Case

---

A computer case (also known as a computer chassis, cabinet, tower, box, enclosure, housing or simply case) is the enclosure that contains the main components of a computer. A computer case is sometimes referred to metonymously as a CPU, referring to the primary component housed within the case; this was a more common term in the earlier days of home computers, when peripherals other than the motherboard were usually housed in their own separate cases.

---

ATX Midle Tower Computer Case

Wi-Fi Card

PCI Card WiFi

---

Wi-Fi is a trademark of the Wi-Fi Alliance for certified products based on the IEEE 802.11 standards. This certification warrants interoperability between different wireless devices.

In some countries (and in this article) the term Wi-Fi is often used by the public as a synonym for IEEE 802.11-wireless LAN (WLAN).

Not every IEEE 802.11 compliant device is certified by the Wi-Fi Alliance, which may be because of certification costs that must be paid for each certified device type. The lack of the Wi-Fi logo does not imply that a WLAN-device is incompatible to certified Wi-Fi-devices.

Wi-Fi is supported by most personal computer operating systems, many game consoles, laptops, smartphones, printers, and other peripherals.

DDR3 SDRAM

In electronic engineering, DDR3 SDRAM or double-data-rate three synchronous dynamic random access memory is a random access memory interface technology used for high bandwidth storage of the working data of a computer or other digital electronic devices. DDR3 is part of the SDRAM family of technologies and is one of the many DRAM (dynamic random access memory) implementations.

DDR3 SDRAM is an improvement over its predecessor, DDR2 SDRAM, and the two are not compatible. The primary benefit of DDR3 is the ability to transfer at twice the data rate of DDR2 (I/O at 8× the data rate of the memory cells it contains), thus enabling higher bus rates and higher peak rates than earlier memory technologies. There is no corresponding reduction in latency, as that is a feature of the DRAM array and not the interface.[citation needed] In addition, the DDR3 standard allows for chip capacities of 512 megabits to 8 gigabits, effectively enabling a maximum memory module size of 16 gigabytes.

With data being transferred 64 bits at a time per memory module, DDR3 SDRAM gives a transfer rate of (memory clock rate) × 4 (for bus clock multiplier) × 2 (for data rate) × 64 (number of bits transferred) / 8 (number of bits/byte). Thus with a memory clock frequency of 100 MHz, DDR3 SDRAM gives a maximum transfer rate of 6400 MB/s.

It should be emphasized that DDR3 is a DRAM interface specification; the actual DRAM arrays that store the data are the same as in any other type of DRAM, and have similar performance.

Mousepad

Mousepad

---

A mousepad is a surface for enhancing the usability of a computer mouse. Modern mousepads are typically made of lesser density rubber composites with fabric bonded to the upper surface. However, many other types of material have been used, including fabric, plastics, recycled rubber tires, silicone rubber, leather, glass, cork, wood, aluminum, stone and stainless steel. High-quality gaming mats are usually made from plastic, aluminum or high-tech fibers.

---

Vegas Toys (Part I): The Ring -3 Tools

We've just published the proof of concept code for the Alex's and Rafal's "Ring -3 Rootkits" talk, presented last month at the Black Hat conference in Vegas. You can download the code from our website . It's highly recommended that one (re)reads the slides before playing with the code.

In short, the code demonstrates injection of an arbitrary ARC4 code into a vPro-compatible chipset AMT/ME memory using the chipset memory reclaiming attack. Check the README and the slides for more information.

The actual ARC4 code we distribute here is very simple: it sets a DMA write transaction to the host memory every ca. 15 seconds in order to write the "ITL" string at the predefined physical addresses (increased by 4 with every iteration). Of course one can do DMA read as well.

The ability to do DMA from the ARC4 code to/from the host memory is, in fact, all that is necessary to write a sophisticated rootkit or any sort of malware, from funny jokers to sophisticated secret sniffers. Your imagination (and good pattern searching) is the only limit here.

The OS, nor any software running on the host OS, cannot access our rootkit code, unless, of course, it used the same remapping attack we used to insert our code there :) But the rootkit might even cut off this way by locking down the remapping registers, so fixing the vulnerability on the fly, after exploiting it (of course it would be insane for any AV to use our remapping attack in order to scan ME space, but just for completeness;)

An OS might attempt to protect itself from DMA accesses from the rootkit in the chipset by carefully setting VT-d protections. Xen 3.3/3.4, for example, sets VT-d protections in such a way that our rootkit cannot access the Xen hypervisor memory. We can, however, access all the other parts of the system which includes all the domains memory (i.e. where all the interesting data are located). Still, it should be possible to modify Xen so that it set VT-d mappings in such a strict way, that the AMT code (and the AMT rootkit) could not access any useful information in any of the domains. This, in fact, would be a good idea anyway, as it would also prevent any sort of hardware-based backdoors (except for the backdoors in the CPU).

An AMT rootkit can, however, get around such a savvy OS because it can modify the OS's VT-d initialization code before it sets the VT-d protections. Alternatively, if the protections are set before the rootkit was activated, the rootkit can force the system to reboot and boot it from the AMT Virtual CDROM (In fact AMT has been designed to be able to do exactly that), which would contain rootkit agent code that would modify the OS/VMM to-be-loaded image, so that it doesn't setup VT-d properly.

Of course, the proper solution against such an attack would be to use e.g. Intel TXT to assure trusted boot of the system. In theory this should work. In practice, as you might recall, we have already shown how to bypass Intel TXT. This TXT bypass attack still works on most (all?) hardware, as there is still no STM available in the wild (all that is needed for the attack is to have a working SMM attack, and last month we showed 2 such attacks — see the slides for the BIOS talk).

Intel has released a patch a day before our presentation at Black Hat. This is a cumulative patch that is also targeting a few other, unrelated, problems, like e.g. the SMM caching attack (also reported by Loic), the SMM nvacpi attack, and the Q45 BIOS reflashing attack (for which the code will be also published shortly).

Some of you might remember that Intel has patched this very remapping bug last year, after our Xen 0wning Trilogy presentations, where we used the very same bug to get around Xen hypervisor protections. However, Intel forgot about one small detail — namely it was perfectly possible for malware to downgrade BIOS to the previous, pre-Black-Hat-2008 version, without any user consent (after all this old BIO file was also digitally signed by Intel). So, with just one additional reboot (but without a user intervention needed) malware could still use the old remapping bug, this time to get access to the AMT memory. The recent patch mentioned above solves this problem by displaying a prompt during reflash boot, if reflashing to an older version of BIOS. So now it requires user intervention (a physical presence). This "downgrade protection" works, however, only if we have administrator password enabled in BIOS.

We could get into the AMT memory on Q35, however, even if the downgrade attack was not possible. In that case we could use our BIOS reflashing exploit (the other Black Hat presentation).

However, this situation looks differently on Intel latest Q45 chipsets (that also have AMT). As explained in the presentation, we were unable to get access to the AMT memory on those chipsets, even though we can reflash the BIOS there, and consequently, even though we can get rid of all the chipset locks (e.g. the remapping locks). Still, the remapping doesn't seem to work for this one memory range, where the AMT code resides.

This suggest Intel added some additional hardware to the Q45 chipset (and other Series 4 chipsets) to prevent this very type of attacks. But we're not giving up on Q45 yet, and we will be trying other attacks, as soon as we recover from the holiday laziness ;)

Finally, the nice picture of the Q35 chipset (MCH), where our rootkit lives :) The ARC4 processor is somewhere inside...

Split Stick The Double-Sided USB Drive

Split Stick, Double-Sided USB Drive, Hits quirky's Online Store

collaboratively developed in one week by quirky's community

New York, NY, July 23, 2009 -- Today marks the official release of the Split Stick - a community designed double-sided USB drive. Everyone always tells you to keep your work and your personal life separate. Now you can maintain that divide with your files too.

With the Split Stick, you can enforce the digital divide between office and personal, home and away, yours and hers, g rated and x rated, or whatever else you choose to separate.

Split Stick is the sixth product designed and developed by the quirky community since quirky’s launch on June 2nd. quirky gives everyone the chance to get product ideas out of their heads and onto shelves. Each week quirky’s community collaborates to select and produce one new product idea. This week ends the development of the Split Stick and it is now available for sale at quirky’s online store for $19.99. Accompanying the Split Stick are 4 other quirky developed products: the Sling Back, a universal wire retractor; the Ouch Pouch, a funkier version of the traditional blue and white arm sling; the Pressto, a tofu press, and a kid's Sudoku set; the Sudokid

Designed and developed by the quirky community, Split Stick is two, two-gigabyte retractable USB drives that are built into one slim (four gigabyte) stick. The Split Stick is made of an anodized aluminum body and encased in a protective rubber membrane. The Split Stick comes in a range of colors: orange, blue, pink, red, black, violet, grey, or green. This plastic button allows one to easily navigate between the two different sides of the drive.

DOWNLOAD PRESS KIT

Customers can select how they want to divide their Split Stick by selecting their own text or choosing icons from quirky's icon gallery. These will be laser etched during the ordering process.

quirky engages participants to collaborate in every aspect of product creation - from ideation, design, naming, manufacturing, marketing, right on through to sales. Anyone can participate on quirky.com either by submitting their own product idea for $99, or by voting, rating, and influencing other people’s product ideas. Cooler still, 30¢ of every dollar generated from the sale of a quirky product goes back to these influencers.

Every week users post ideas on quirky to be rated by the quirky community. The community surveys the submissions during the 7-day evaluation period and selects one product to move forward to product development. quirky’s community then begins weighing in on everything from naming to logo selection to packaging through to prototype.

The final product becomes available for pre-sale at the quirky online store (quirky.com/products). Once the product hits its pre-sale threshold, credit cards are charged, and the product goes into production and delivery. At this point, 30¢ of every dollar made from the sale of these products goes back to the community. “Community” in this case covers both the ideator as well as all people who voted, commented, and rated the project idea along the way.