Abstract
In the last few years, many different attacks against computing platform targeting hardware or low level firmware have been published. Such attacks are generally quite hard to detect and to defend against as they target components that are out of the scope of the operating system and may not have been taken into account in the security policy enforced on the platform. In this paper, we study the case of remote attacks against network adapters. In our case study, we assume that the target adapter is running a flawed firmware that an attacker may subvert remotely by sending packets on the network to the adapter. We study possible detection techniques and their efficiency. We show that, depending on the architecture of the adapter and the interface provided by the NIC to the host operating system, building an efficient detection framework is possible. We explain the choices we made when designing such a framework that we called NAVIS and give details on our proof of concept implementation.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Transactions on Information and System Security 13 (November 2009)
Bulygin, Y., Samyde, D.: Chipset based approach to detect virtualization malware. In: BlackHat (2008)
Castelluccia, C., Francillon, A., Perito, D., Soriente, C.: On the difficulty of software-based attestation of embedded devices. In: Proceedings of 16th ACM Conference on Computer and Communications Security (November 2009)
Chang, H., Atallah, M.J.: Protecting software code by guards. In: ACM Workshop on Security and Privacy in Digital Rights Management 2001, Philadelphia, Pennsylvania (November 2001)
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 559–572. ACM, New York (2010)
Chen, K.: Reversing and exploiting an apple firmware update. In: BlackHat (2009)
Delugré, G.: Closer to metal: Reverse ingineering the broadcom netextreme’s firmware. Hack.lu (2010)
Duflot, L., Perez, Y.-A.: Can you still trust your network card?. In: CanSecWest (2010)
Duflot, L., Perez, Y.-A., Morin, B.: Run-time firmware integrity verification: what if you can’t trust your network card?. In: CanSecWest (2011)
Erlingsson, Ù., Abadi, M., Vrable, M., Budiu, M., Necula, G.C.: Xfi: Software guards for system address spaces. In: Symposium on Operating System Design and Implementation (OSDI), vol. 4637, pp. 75–88 (2006)
Francillon, A.: Attacking an Protecting Constrained Embedded Systems from Control Flow Attacks. PhD thesis, Institut Polytechnique de Grenoble (2009)
Francillon, A., Castelluccia, C., Perito, D., Soriente, C.: Comments on refutation of on the difficulty of software based attestation of embedded devices (2010)
Frantzen, M., Shuey, M.: Stackghost: Hardware facilitated stack protection. In: Proceedings of the 10th Conference on USENIX Security Symposium SSYM 2001, vol. 10, p. 5. USENIX Association (2001)
Trusted Computing Group. The trusted platform module
Li, Y., McCune, J.M., Perrig, A.: SBAP: Software-Based Attestation for Peripherals. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 16–29. Springer, Heidelberg (2010)
Maxion, R.A., Roberts, R.R.: Proper use of roc curves in intrusion/anomaly detection. Technical report, School of Computing Science, University of Newcastle upon Tyne (2004)
Perrig, A., Van Doorn, L.: Refutation of on the difficulty of software based attestation of embedded devices (2010)
Petroni Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th USENIX Security Symposium, pp. 179–194 (2004)
Rutkowska, J.: Remotely attacking network cards (or why do we need vt-d and txt) (2010)
Rutkowska, J., Wojtczuk, R.: Preventing and detecting xen hypervisor subversions. In: BlackHat (2008)
Sang, F.L., Lacombe, E., Nicomette, V., Deswarte, Y.: Exploiting an I/OMMU vulnerability. In: MALWARE 2010: 5th International Conference on Malicious and Unwanted Software, pp. 7–14 (2010)
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 298–307. ACM, New York (2004)
Sinnadurai, S., Zhao, Q., Wong, W.f.: Transparent runtime shadow stack: Protection against malicious return address modifications
Tereshkin, A., Wojtczuk, R.: Introducing ring -3 rootkits. In: BlackHat (2009)
Triulzi, A.: Taking NIC backdoors to the next level. In: CanSecWest (2010)
Wang, J., Stavrou, A., Ghosh, A.: Hypercheck: a hardware-assisted integrity monitor. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 158–177. Springer, Heidelberg (2010)
Weinmann, R.-P.: All Your Baseband Are Belong To Us. In: CCC (2010)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Duflot, L., Perez, YA., Morin, B. (2011). What If You Can’t Trust Your Network Card?. In: Sommer, R., Balzarotti, D., Maier, G. (eds) Recent Advances in Intrusion Detection. RAID 2011. Lecture Notes in Computer Science, vol 6961. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23644-0_20
Download citation
DOI: https://doi.org/10.1007/978-3-642-23644-0_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-23643-3
Online ISBN: 978-3-642-23644-0
eBook Packages: Computer ScienceComputer Science (R0)