Last Updated: 2007-03-04 20:02:52 UTC
by Maarten Van Horenbeeck (Version: 1)
Last week one of my colleagues mentioned that he found it strange that people always thought software was the issue when IT related issues occured. He hit the nail right on the head: is hardware really more trustworthy ?
Polish security researcher Joanna Rutkowska last week gave some good evidence that this need not always hold true. At the Blackhat conference in Washington, DC she showed three different scenarios in which software can fool hardware-based forensic acquisition of RAM memory.
The attacks, while still only theoretical, were developed for the AMD64 platform and could allow software running on a compromised system to cause such tools to crash, read out "garbage" data or in fact present them with fake content. This could make it impossible for a forensic investigator to discover malware in memory, even though it is in fact there.
Intelligence principles have always dictated we need to be very careful where we get our information from, and preferably triangulate it with other sources. Understanding whether the object sourcing us the information has motivation to lie to us, is becoming more and more important. In essence, Joanna shows that DMA (direct memory access) really isn't all that direct, and we need to better understand the limitations of our tools.
Maarten Van Horenbeeck