[Dailydave] Whitepaper: Implementing and Detecting a PCI Rootkit
Dan Moniz
dnm at pobox.com
Thu Nov 16 19:40:21 Local tim 2006
On 11/16/06 10:47 AM, "sinan.eren at immunitysec.com"
<sinan.eren at immunitysec.com> wrote:
> I should also note that when you have a FPGA based solution, there is no
> ROM to be investigated for potential malware. You might still hope to
> detect the subversion in kernel space though, of course that is a bit
> naive, given that you don't know all the possible hooks one can place.
There should be *some* ROM, if the design is non-volatile, and it would have
to be if you plan to have these cards laying around until you pop them in a
machine. A PROM serving as platform flash should exist on the board to hold
the image for the FPGA to load. Retreiving data from external platform flash
PROMs is not all that difficult.
If you wanted to get away with no external (outside of the die) memory,
you'd have to use CPLDs (closer gate counts to FPGAs) or PALs. Technically
there's still non-volatile memory in this case too, but it's on-die. That
can raise the barrier significantly compared to FPGA-based designs.
Be sure to remove all the JTAG pins and bury your traces in a multi-layer
board, and coat the entire thing in expoy and tamper sensitive packaging. If
I (the royal "I" in this case, natch) can get to a wire or wires without
triggering some self-destruct condition, I can almost certainly recover
something.
--
Dan Moniz <dnm at pobox.com> [http://pobox.com/~dnm/]
More information about the Dailydave
mailing list