Because there are so many applications out there with all manner of attractive vulnerabilities just waiting to be exploited, few hackers have spent much time in recent years messing around with hardware. Why bother learning about device drivers, RAM acquisition and hardware interrupts when you can cut and paste shell code you found on a mailing list and have root in 30 seconds? The oldest reason on Earth: money. If you can hide your code on a compromised machine in say, a bank or a classified government network, you might find a way to make some money from that.
Just as attackers have concentrated their efforts on the OS and applications, so have security vendors, administrators and security specialists. Many security professionals, CIOs and CSOs are former network administrators who spent years learning the ins and outs of network design, protection and management. They can configure routers and switches in their sleep and know more tricks and tactics for locking down Windows NT, 2000 and XP than the developers who wrote the code do. Many of the attacks used these days fall into one of a handful of classes that are well-understood by both security vendors and security professionals, and they know how to defend against them. Buffer overruns and SQL injections still happen all the time, but at least they have known causes and remedies.
That is most definitely not the case with the kind of cutting-edge hardware-based attacks that the elite of the hacker world are working on at the moment. Take for example Joanna Rutkowska, a security researcher with COSEINC, and a rising star in the hacker world. She gave a standing-room-only presentation at the recent Black Hat DC entitled "Beyond The CPU: Defeating Hardware Based RAM Acquisition Tools" that had some of the other presenters at the conference shaking their heads in wonder. In her talk, Rutkowska demonstrated several techniques for tricking forensic tools into seeing a different image of the RAM on a compromised machine than the one that is actually in the PC's physical memory. The demonstration she performed worked on an AMD64-based system, but she said it could also work on other architectures.
The techniques Rutkowska showed off are significant for two main reasons. First, when they're in the process of analyzing a compromised machine or a PC that might have been used in a crime, forensic analysts typically use hardware-based methods to acquire the machine's RAM, usually via a PCI card or a Firewire bus. Rutkowska's methods neutralize this, meaning that an attacker would have a good chance of keeping his tracks hidden on the machine. And second, the number of people who understand the low-level architecture of processors—and could therefore detect and defeat attacks like Rutkowska's—is several orders of magnitude smaller than the number who know how to stop more common attacks like worms and buffer overruns.
She is not alone in finding novel ways to abuse hardware either. John Heasman, director of research at NGS Software, spent an hour and a half at the conference scaring the audience out of its wits with his descriptions of several techniques for using the memory space on PCI cards and other devices to load rootkits . Heasman has been at this particular task for some time now, and his work is in no way theoretical; these are working exploits. He's found methods for loading a rootkit onto a PCI device via the flashable ROM. And he's also developed an elegant way to subvert the NT kernel and set up fake stack pointers.
Most of the major enterprise software vendors have gotten fairly good at closing the most common holes in their applications in the last few years. Microsoft has made it much more difficult for attackers to run arbitrary code on Windows machines, especially in Vista. And other vendors are now routinely use code-scanning tools to identify common coding errors that lead to security flaws.
That security awareness has not yet made its way into the hardware realm. Efforts such as the Trusted Computing Group's Trusted Platform Module can be useful in defeating some of the hardware-based attacks. But the chip makers, the PCI card manufacturers and the thousands of other companies that make the guts of today's PCs have yet to fully embrace security. And that's largely due to the fact that they've had no motivation to do so. If the attackers are busy picking apart Windows and Oracle apps, what can Intel or AMD do to help?
A lot, as it turns out. Both chip makers are busily adding security features to their processors in an effort to prevent some of these attacks and others, including emerging threats from virtualization technology. Security likely will become a major selling point for these companies as the attacks continue to develop and hardware-based security architectures mature. CIOs and IT managers would do well to start asking their hardware vendors what they're doing about security. And if the answer that comes back doesn't cut it, there's always another vendor waiting in the lobby who might have a better answer for you.
This was first published in March 2007