What If You Can't Trust Your Network Card?

@inproceedings{Duflot2011WhatIY,
  title={What If You Can't Trust Your Network Card?},
  author={Lo{\"i}c Duflot and Yves-Alexis Perez and Benjamin Morin},
  booktitle={RAID},
  year={2011}
}
In the last few years, many different attacks against computing platform targeting hardware or low level firmware have been published. Such attacks are generally quite hard to detect and to defend against as they target components that are out of the scope of the operating system and may not have been taken into account in the security policy enforced on the platform. In this paper, we study the case of remote attacks against network adapters. In our case study, we assume that the target… 
A Primitive for Revealing Stealthy Peripheral-Based Attacks on the Computing Platform's Main Memory
TLDR
BARM is implemented, a runtime monitor that permanently monitors bus activity to expose malicious memory access carried out by peripherals and not only detects and prevents DMA-based attacks but also runs without significant overhead due to the use of commonly available CPU features of the x86 platform.
Detecting peripheral-based attacks on the host memory
TLDR
This work addresses stealthy peripheral-based attacks on host computers and presents a new approach to detecting them, using stealthy malicious software based on isolated micro-controllers to conduct an attack analysis and developing a novel runtime detector.
SoK: Hardware Security Support for Trustworthy Execution
TLDR
This paper systematizes hardware mechanisms providing trusted execution environments (TEEs), support for integrity checking and memory safety and widespread uses of hardware roots of trust through the lens of abstraction and finds that these abstractions can both obscure information that is needed for security enforcement, as well as reveal information that needs to be kept secret, leading to vulnerabilities.
IOMMU protection against I/O attacks: a vulnerability and a proof of concept
TLDR
A design weakness that is discovered in the configuration of an IOMMU is discovered and a possible exploitation scenario that would allow a malicious peripheral to bypass the underlying protection mechanism is implemented.
TOWARDS SECURE NETWORK COMMUNICATIONS WITH CLIENTS HAVING CRYPTOGRAPHICALLY ATTESTABLE INTEGRITY
TLDR
The proposed solution is created around a type 1 bare-metal hypervisor, relying on hardware-enforced technologies to provide strong isolation between a secure operating environment on the clients and a possibly compromised OS, and carries a significant value, both from security point of view and market applicability.
Off-the-shelf Embedded Devices as Platforms for Security Research
TLDR
This paper describes two new devices that have not been previously reverse engineered, a programmable logic controller (PLC) and a solid sate drive (SSD), and discusses possible new directions with these two "real-world" research platforms.
HyperCheck: A Hardware-AssistedIntegrity Monitor
TLDR
This paper presents HyperCheck, a hardware-assisted tampering detection framework designed to protect the integrity of hypervisors and operating systems and measures that HyperCheck can communicate the entire static code of Xen hypervisor and CPU register states in less than 90 million CPU cycles, or 90 ms on a 1 GHz CPU.
A Framework to Secure Peripherals at Runtime
TLDR
The experimental results show that IOCheck takes 10 milliseconds to check the integrity of a network card and a video card, and it achieves a faster switching time than the Dynamic Root of Trust Measurement approach.
HyperCheck: A Hardware-AssistedIntegrity Monitor
TLDR
This paper presents HyperCheck, a hardware-assisted tampering detection framework designed to protect the integrity of hypervisors and operating systems, and measures that HyperCheck can communicate the entire static code of Xen hypervisor and CPU register states in less than 90 million CPU cycles, or 90 ms on a 1 GHz CPU.
Bypassing IOMMU Protection against I/O Attacks
TLDR
A design weakness that is discovered in the configuration of an IOMMU by the Intel I OMMU Linux driver is discovered and a possible exploitation scenario that would allow a malicious peripheral to bypass the underlying protection mechanism is implemented.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 41 REFERENCES
Attacking and Protecting Constrained Embedded Systems from Control Flow Attacks
TLDR
A new method for software-based attestation that is immune of the vulnerabilities in previous protocols is proposed, and a hardware-based technique is presented that modifies the memory layout to prevent control flow attacks, and has a very low overhead.
Autonomic Recovery: HyperCheck: A Hardware-Assisted Integrity Monitor
Abstract : Over the past few years, virtualization has been employed to environments ranging from densely populated cloud computing clusters to home desktop computers. Security researchers embraced
Transparent Runtime Shadow Stack : Protection against malicious return address modifications
Exploitation of buffer overflow vulnerabilities constitutes a significant portion of security attacks in computer systems. One of the most common types of buffer overflow attacks is the hijacking of
VIPER: verifying the integrity of PERipherals' firmware
TLDR
This work proposes software-only attestation protocols to verify the integrity of peripherals' firmware, and shows that they can detect all known software-based attacks.
SBAP: Software-Based Attestation for Peripherals
TLDR
This work proposes a Software-Based Attestation technique for Peripherals that verifies the firmware integrity of a peripheral and detects malicious changes with a high probability, even in the face of recently proposed attacks.
Exploiting an I/OMMU vulnerability
TLDR
This paper presents different vulnerabilities the authors identified on Intel VT-d, which implements an I/OMMU, and gives some recommendations to prevent these vulnerabilities from being used for malicious purposes.
Reversing and exploiting an Apple firmware update
The security posture of a computer can be adversely affected by poorly-designed devices on its USB bus. Many modern embedded devices permit firmware to be upgraded in the field and the use of
On the difficulty of software-based attestation of embedded devices
TLDR
This paper presents two generic attacks, one based on a return-oriented rootkit} and the other on code compression, and describes specific attacks on two existing proposals, namely SWATT and ICE-based schemes.
Defending embedded systems against control flow attacks
This paper presents a control flow enforcement technique based on an Instruction Based Memory Access Control (IBMAC) implemented in hardware. It is specifically designed to protect low-cost embedded
Protecting Software Code by Guards
TLDR
This paper presents and explores a methodology that it is believed can protect program integrity in a more tamper-resilient and flexible manner and implemented a system for automating the process of installing guards into Win32 executables.
...
1
2
3
4
5
...