On Thu, 01 Mar 2012 14:50:36 +0000, The Natural Philosopher wrote:

Jules Richardson wrote:
On Thu, 01 Mar 2012 06:30:06 +1100, Rod Speed wrote:

Tim Watts wrote
The Natural Philosopher wrote
exactly, An undetectable change that results in no detectable
activity by anyone in the whole universe is not a security risk.
You may have a "potentially detectable" change, but for any practical
detection mechanism, I feel fairly safe in asserting that it could
potentially be hacked so as not to leave a trace *detectable by the
detection mechanism".
Doesnt matter if you are fairly certain or not, there are obvious
examples where that isnt possible. Most obviously with a full restore
from image using a machine that isnt even net accessible.

Technically, is it possible to re-flash a PC's BIOS from a binary
running with sufficient permissions under the host OS, such that
malicious code could potentially run undetected following reboot,
regardless of whether hard disk contents were restored from an image on
another system?


It is not clear that Linux uses the BIOS at all, except to boot..

I SUPPOSE the bios might write something to the disk during boot..

Yes, I don't think there's much BIOS interaction once a modern OS has
booted, but the point is that BIOS code *is* run at system startup, so
perhaps it's possible for some form of malicious BIOS to infect the
machine's OS at boot time, even if that OS is a supposedly-clean image
freshly installed from a 'secure' system.

Its sort of along the lines of 'well you have smashed down the front
door and all you are going to steal is a magazine?'

in other words, given that sort of access, you could find easier
targets.

Well the point would be that a user could think that their system was
secure because even though malicious code existed on the system, but not
actually on the hard disk. If it is possible at all, I'd suspect that any
form of malicious BIOS wouldn't actually be the virus, but would
compromise the system's hard disk such that when the OS was booted
something else was run which did the hard work.

Getting malicious code into the system BIOS in the first place would be
the tricky bit of course, and would rely on something nasty being run on
the machine - but the "clever" part is that if the user spotted the
infection and cleaned up, they might be blissfully unaware that the
machine was still compromised. The dodgy code could easily sit around for
months in the BIOS before triggering on a reboot.

I'm just curious if modern systems prevent it from even being possible -
or if it's just not common because at the moment there are currently far
easier ways of attacking a system. The latter might change as systems
become more secure (and/or users become more clueful about threats).

Obviously what you want to build is a daemon that doesn't show up in the
process table, either as a process or in terms of RAM used,... doesn't
get logged, whose internet accesses don't get recorded in the machines
ethernet statistics.. so its probably going to be a new ethernet
driver..oh, and it must have the same file length and checksum as the
proper one. And you must erase all entries in all logfiles relating to
your access to install it.

I don't think the 'loader' stage would necessarily have to cover its
tracks to that extent - it would just need to look like a regular old
virus and re-flash the BIOS, while somehow concealing the fact it had
done the latter (which I suspect is easy at present because AFAIK nobody
habitually keeps a record of their BIOS checksum, so wouldn't know that
it had been altered).

The major stumbling block from the virus point of view is the diversity
of BIOS code out there - I suspect it would either have to detect the
BIOS vendor and load malicious code from something internal to the
'loader' code, or "phone home" to fetch the appropriate code for the
system it was trying to infect. The dodgy code which actually got
installed in the BIOS area could probably just assume a SATA drive and
some flavour of Windows, and that would cover a high enough proportion of
running machines to make that aspect worthwhile.

cheers

Jules

Jules Richardson wrote
Rod Speed wrote
Tim Watts wrote
The Natural Philosopher wrote

exactly, An undetectable change that results in no detectable
activity by anyone in the whole universe is not a security risk.

You may have a "potentially detectable" change, but for any
practical detection mechanism, I feel fairly safe in asserting
that it could potentially be hacked so as not to leave a trace
*detectable by the detection mechanism".

Doesnt matter if you are fairly certain or not, there are obvious
examples where that isnt possible. Most obviously with a full
restore from image using a machine that isnt even net accessible.

Technically, is it possible to re-flash a PC's BIOS from a
binary running with sufficient permissions under the host OS,

Not with a system that has a jumper that has to be in a particular
position before that can happen, and obviously if you are paranoid
about that being done malicioiusly, you would only use one of those.

And its perfectly possible to keep a hash of that anyway,
so you can always detect when that has happened.

such that malicious code could potentially run undetected
following reboot, regardless of whether hard disk contents
were restored from an image on another system?

I've never heard of it happening, but I'm curious whether it could in theory be done.

Yes, its certainly possible but very easy to protect against
and monitor if thats happened so it wont go undetected.

Jules Richardson wrote
The Natural Philosopher wrote
Jules Richardson wrote
Rod Speed wrote
Tim Watts wrote
The Natural Philosopher wrote

exactly, An undetectable change that results in no detectable
activity by anyone in the whole universe is not a security risk.

You may have a "potentially detectable" change, but for any
practical detection mechanism, I feel fairly safe in asserting
that it could potentially be hacked so as not to leave a trace
*detectable by the detection mechanism".

Doesnt matter if you are fairly certain or not, there are obvious
examples where that isnt possible. Most obviously with a full
restore from image using a machine that isnt even net accessible.

Technically, is it possible to re-flash a PC's BIOS from a binary
running with sufficient permissions under the host OS, such that
malicious code could potentially run undetected following reboot,
regardless of whether hard disk contents were restored from an
image on another system?

It is not clear that Linux uses the BIOS at all, except to boot..

I SUPPOSE the bios might write something to the disk during boot..

Yes, I don't think there's much BIOS interaction once a modern OS
has booted, but the point is that BIOS code *is* run at system startup,
so perhaps it's possible for some form of malicious BIOS to infect the
machine's OS at boot time, even if that OS is a supposedly-clean
image freshly installed from a 'secure' system.

Yes, thats certainly possible.

Its sort of along the lines of 'well you have smashed down
the front door and all you are going to steal is a magazine?'

in other words, given that sort of access, you could find easier targets.

Well the point would be that a user could think that their system was
secure because even though malicious code existed on the system,
but not actually on the hard disk. If it is possible at all, I'd suspect
that any form of malicious BIOS wouldn't actually be the virus, but
would compromise the system's hard disk such that when the OS
was booted something else was run which did the hard work.

Sure, but that 'something else' would obviously be visible.

Getting malicious code into the system BIOS in the first place would
be the tricky bit of course, and would rely on something nasty being
run on the machine - but the "clever" part is that if the user spotted
the infection and cleaned up, they might be blissfully unaware that
the machine was still compromised. The dodgy code could easily
sit around for months in the BIOS before triggering on a reboot.

Yes, but it isnt hard to check if there has been any change to the bios.

I'm just curious if modern systems prevent it from even being possible

Yes, thats why many systems have a jumper that has to
be in a particular position before the bios can be replaced.

- or if it's just not common because at the moment there
are currently far easier ways of attacking a system.

Thats true too, its not very common at all.

The latter might change as systems become more secure
(and/or users become more clueful about threats).

And its easy enough to have a ute that checks if the jumper
is in the write enable position and warn the user about that.

And even easier to keep track of the bios hash and see if it gets changed.

Obviously what you want to build is a daemon that doesn't show up
in the process table, either as a process or in terms of RAM used,...
doesn't get logged, whose internet accesses don't get recorded in
the machines ethernet statistics.. so its probably going to be a new
ethernet driver..oh, and it must have the same file length and
checksum as the proper one. And you must erase all entries in all
logfiles relating to your access to install it.

I don't think the 'loader' stage would necessarily have to cover its
tracks to that extent - it would just need to look like a regular old
virus and re-flash the BIOS, while somehow concealing the fact it
had done the latter (which I suspect is easy at present because
AFAIK nobody habitually keeps a record of their BIOS checksum,

Most modern bios in fact do that and have done for a long time now
and notify when it gets changed.

so wouldn't know that it had been altered).

Sure, but the paranoid can obviously check that that as well as disk files.

The major stumbling block from the virus point of view is the
diversity of BIOS code out there - I suspect it would either
have to detect the BIOS vendor and load malicious code from
something internal to the 'loader' code, or "phone home" to fetch
the appropriate code for the system it was trying to infect.

It likely wouldnt be that hard to find some generic place to put it.

The dodgy code which actually got installed in the BIOS area
could probably just assume a SATA drive and some flavour of
Windows, and that would cover a high enough proportion of
running machines to make that aspect worthwhile.

It isnt just the motherboard bios either, quite a few of
the drives have code which can be replaced live too.

Tim Streater wrote:
In article ,
Jules Richardson wrote:

Yes, I don't think there's much BIOS interaction once a modern OS has
booted, but the point is that BIOS code *is* run at system startup ...

Only if you have a machine with a BIOS.

I am not sure how you bootstrap an OS without a modicum of BIOS or at
least a ROM based boot loader.

Unless the whole machine runs out of ROM..



--
To people who know nothing, anything is possible.
To people who know too much, it is a sad fact
that they know how little is really possible -
and how hard it is to achieve it.

"The Natural Philosopher" wrote in message
...
dennis@home wrote:


Are you sure he is a troll, I thought he was just thick, very thick.

Its alawys a mistake to see yourself in others, dennis.

That's true, my biggest failing is crediting others with too much
intelligence.
You won't get that benefit again.

dennis@home wrote:


"The Natural Philosopher" wrote in message
...
dennis@home wrote:


Are you sure he is a troll, I thought he was just thick, very thick.

Its alawys a mistake to see yourself in others, dennis.

That's true, my biggest failing is crediting others with too much
intelligence.

indeed. You feel that the are at least as intelligent as a medium sized
frog, where you can only manage bacterial levels.

I have concluded that most people are so far ahead of you that your are
simply unable to recognise where they are at all.


You won't get that benefit again.

Nothing you have ever said on this group has been of any benefit to me
whatsoever apart from occasionally being so stupid its actually amusing.



--
To people who know nothing, anything is possible.
To people who know too much, it is a sad fact
that they know how little is really possible -
and how hard it is to achieve it.

On 01/03/2012 14:50, The Natural Philosopher wrote:
Jules Richardson wrote:
On Thu, 01 Mar 2012 06:30:06 +1100, Rod Speed wrote:

Tim Watts wrote
The Natural Philosopher wrote
exactly, An undetectable change that results in no detectable activity
by anyone in the whole universe is not a security risk.
You may have a "potentially detectable" change, but for any practical
detection mechanism, I feel fairly safe in asserting that it could
potentially be hacked so as not to leave a trace *detectable by the
detection mechanism".
Doesnt matter if you are fairly certain or not, there are obvious
examples where that isnt possible. Most obviously with a full restore
from image using a machine that isnt even net accessible.

Technically, is it possible to re-flash a PC's BIOS from a binary
running with sufficient permissions under the host OS, such that
malicious code could potentially run undetected following reboot,
regardless of whether hard disk contents were restored from an image
on another system?


It is not clear that Linux uses the BIOS at all, except to boot..

I SUPPOSE the bios might write something to the disk during boot..


It's not necessary to write anything to the disc. You just have to
alter what it reads. Or for that matter, most discs these days can have
their own firmware altered...

I've never heard of it happening, but I'm curious whether it could in
theory be done.


Its sort of along the lines of 'well you have smashed down the front
door and all you are going to steal is a magazine?'

in other words, given that sort of access, you could find easier targets.

Obviously what you want to build is a daemon that doesn't show up in the
process table, either as a process or in terms of RAM used,... doesn't
get logged, whose internet accesses don't get recorded in the machines
ethernet statistics.. so its probably going to be a new ethernet
driver..oh, and it must have the same file length and checksum as the
proper one. And you must erase all entries in all logfiles relating to
your access to install it.

Most of that can be overcome. For example the file doesn't have to be
the same length, it merely needs to be reported as the same length. It
won't show up in the process table because it's intercepted the
"getNextProcess" call to leave itself out. Or whatever mechanisms your
OS uses.

Whilst all that is theoretically possible, I am not sure that I could
actually find a way to implement it, let alone install it. And YOU want
a boot ROM to do that?


It's vanishingly unlikely that anyone could do it. But that isn't ZERO
probability any more than the national debt is infinite.

Now then the risk that you could shoot off my kneecap without me
noticing? As has been said, it depends what else is going on. If you
cut my head off at the same moment I'm quite likely not to notice.

Now I'm sure beyond reasonable doubt that my machine is clean. I'm not
certain - the men in the black helicopters _could_have got to Intel and
AMD to make all the worlds processors misbehave just for me. (But I'm
not _that_ paranoid)

Now then: How many angels can dance on the head of a pin? This is a
similar question in a way - is the answer infinite, or some arbitrary
finite number?

Andy

"The Natural Philosopher" wrote in message
...
Tim Streater wrote:
In article ,
Jules Richardson wrote:

Yes, I don't think there's much BIOS interaction once a modern OS has
booted, but the point is that BIOS code *is* run at system startup ...

Only if you have a machine with a BIOS.

I am not sure how you bootstrap an OS without a modicum of BIOS or at
least a ROM based boot loader.

Unless the whole machine runs out of ROM..


Just wandering idly by after a holiday break.
Just wondered (reading all this stuff) if something was inserted into RAM at
boot time, ran memory resident, and kept an area of SWAP for any data
storage, how detectable would it be in the log files?
Or even if it used raw access to the disc to use any spare, unformatted
areas or suchlike?
Certainly wouldn't show up on any checksum of the filestore.

--
No plan survives contact with the enemy.
[Not even bunny]

Helmuth von Moltke the Elder

(\__/)
(='.'=)
(")_(")

David WE Roberts wrote:

"The Natural Philosopher" wrote in message
...
Tim Streater wrote:
In article ,
Jules Richardson wrote:

Yes, I don't think there's much BIOS interaction once a modern OS
has booted, but the point is that BIOS code *is* run at system
startup ...

Only if you have a machine with a BIOS.

I am not sure how you bootstrap an OS without a modicum of BIOS or at
least a ROM based boot loader.

Unless the whole machine runs out of ROM..


Just wandering idly by after a holiday break.
Just wondered (reading all this stuff) if something was inserted into
RAM at boot time, ran memory resident, and kept an area of SWAP for any
data storage, how detectable would it be in the log files?

if it didn't log, it wouldn't be in the logs
But you would need to install the program that did it, and that would be
root access and would be logged.

Ram comes empty - or random rather.
Anything to be put into it needs a disk based file

Disk based files are detectable



Or even if it used raw access to the disc to use any spare, unformatted
areas or suchlike?
Certainly wouldn't show up on any checksum of the filestore.



--
To people who know nothing, anything is possible.
To people who know too much, it is a sad fact
that they know how little is really possible -
and how hard it is to achieve it.

David WE Roberts wrote:
"The Natural Philosopher" wrote in message
...
Tim Streater wrote:
In article ,
Jules Richardson wrote:

Yes, I don't think there's much BIOS interaction once a modern OS
has booted, but the point is that BIOS code *is* run at system
startup ...

Only if you have a machine with a BIOS.

I am not sure how you bootstrap an OS without a modicum of BIOS or at
least a ROM based boot loader.

Unless the whole machine runs out of ROM..


Just wandering idly by after a holiday break.
Just wondered (reading all this stuff) if something was inserted into
RAM at boot time, ran memory resident, and kept an area of SWAP for
any data storage, how detectable would it be in the log files?
Or even if it used raw access to the disc to use any spare,
unformatted areas or suchlike?
Certainly wouldn't show up on any checksum of the filestore.

You'd still have to get it inserted into ram at boot time
without leaving any traces of getting that onto the system.