Ecole d'ingénieur et centre de recherche en Sciences du numérique

Implementation and implications of a stealth hard-drive backdoor

Zaddach, Jonas; Kurmus, Anil; Balzarotti, Davide; Blass, Erik Olivier; Francillon, Aurélien; Goodspeed, Travis; Gupta, Moitrayee; Koltsidas, Ioannis

ACSAC 2013, 29th Annual Computer Security Applications Conference, December 9-13, 2013, New Orleans, Louisiana, USA

Best Student Paper Award

Modern workstations and servers implicitly trust hard disks to act as well-behaved block devices. This paper analyzes the catastrophic loss of security that occurs when hard disks are not trustworthy. First, we show that it is possible to compromise the rmware of a commercial o -the-shelf hard drive, by resorting only to public information and reverse engineering. Using such a compromised rmware, we present a stealth rootkit that replaces arbitrary blocks from the disk while they are written, providing a data replacement back-door. The measured performance overhead of the compromised disk drive is less than 1% compared with a normal, non-malicious disk drive. We then demonstrate that a remote attacker can even establish a communication channel with a compromised disk to in ltrate commands and to ex-fi ltrate data. In our example, this channel is established over the Internet to an unmodi ed web server that relies on the compromised drive for its storage, passing through the original webserver, database server, database storage engine,  lesystem driver, and block device driver. Additional experiments, performed in an emulated disk-drive environment, could automatically extract sensitive data such as /etc/shadow (or a secret key le) in less than a minute. This paper claims that the diculty of implementing such an attack is not limited to the area of government cyber-warfare; rather, it is well within the reach of moderately funded criminals, botnet herders and academic researchers.

Document Doi Hal Bibtex

Titre:Implementation and implications of a stealth hard-drive backdoor
Type:Conférence
Langue:English
Ville:New orleans
Pays:ÉTATS-UNIS
Date:
Département:Sécurité numérique
Eurecom ref:4131
Copyright: © ACM, 2013. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACSAC 2013, 29th Annual Computer Security Applications Conference, December 9-13, 2013, New Orleans, Louisiana, USA http://dx.doi.org/10.1145/2523649.2523661
Bibtex: @inproceedings{EURECOM+4131, doi = {http://dx.doi.org/10.1145/2523649.2523661}, year = {2013}, title = {{I}mplementation and implications of a stealth hard-drive backdoor}, author = {{Z}addach, {J}onas and {K}urmus, {A}nil and {B}alzarotti, {D}avide and {B}lass, {E}rik {O}livier and {F}rancillon, {A}ur{\'e}lien and {G}oodspeed, {T}ravis and {G}upta, {M}oitrayee and {K}oltsidas, {I}oannis}, booktitle = {{ACSAC} 2013, 29th {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference, {D}ecember 9-13, 2013, {N}ew {O}rleans, {L}ouisiana, {USA}}, address = {{N}ew orleans, {\'{E}}{TATS}-{UNIS}}, month = {12}, url = {http://www.eurecom.fr/publication/4131} }
Voir aussi: